Service Control Policies in AWS Organizations set the maximum permissions available to all identities within an account, including users who have administrator-level permission sets in IAM Identity Center. A Deny SCP for iam:CreateUser attached to the research team ' s account overrides the AdministratorAccess policy in the permission set and cannot be bypassed by any action within the account. This makes it the most enforceable and tamper-resistant solution. Option A attaches a deny policy to the permission set itself, which would work for sessions using that permission set, but does not prevent IAM users in the account from creating other IAM users. Option B sets a permissions boundary, which can only limit a role ' s maximum permissions, not prevent users from performing actions outside their own role ' s context. Option D is reactive, allowing IAM user creation before deletion, which is not prevention.

================