Explanation

Service Control Policies (SCPs) in AWS Organizations is the correct answer.

Why SCPs are the right choice:

1. SCPs are designed for centralized governance: Service Control Policies are a feature of AWS Organizations that allow you to set permission guardrails for what actions users and roles can perform across your AWS accounts.

2. Region restriction capability: SCPs can be used to restrict access to AWS services in specific regions. You can create policies that:

   • Deny access to Amazon Bedrock in certain regions
   • Allow access only to specific regions
   • Control which accounts can access Bedrock in which regions

3. Organizational-level control: SCPs work at the AWS Organizations level, making them ideal for enterprise-wide governance and compliance requirements.

Why AWS Trusted Advisor is not correct:

• AWS Trusted Advisor is an optimization tool that provides recommendations to help you follow AWS best practices for cost optimization, performance, security, and fault tolerance.
• It does not have the capability to restrict access to AWS services or regions.
• Trusted Advisor is advisory in nature and cannot enforce access controls.

Additional context:

Amazon Bedrock is a fully managed service that makes foundation models (FMs) from leading AI companies available through a single API. Organizations often need to control where their AI workloads run for compliance, data residency, or cost management reasons. SCPs provide the centralized governance mechanism to enforce these restrictions across all AWS accounts in an organization.