This is a classic AWS Organizations governance design:

Restrict Regions and allowed services across all accounts

The correct Organizations mechanism for account-wide guardrails is a Service Control Policy (SCP) .

SCPs set the maximum permissions that accounts/OUs can use, making them the right tool to enforce “only these Regions” and “only these services” consistently across the org.

Authentication from Active Directory + consistent job-function roles in every account

With AD as the identity source, the standard approach is federation to AWS using an IAM identity provider (SAML) and role assumption based on job function.

AWS CloudFormation StackSets is the operationally efficient way to deploy identical IAM roles/policies into multiple accounts/OUs so job-function permissions are consistent everywhere.

The roles’ trust policies can be configured to allow federated identities (from the AD-backed IdP) to assume the correct job role in each account.

Why the other options don’t fit:

A “OU with group policies” isn’t an AWS Organizations control mechanism for restricting Regions/services. The AWS-native control for this is SCPs , not “group policies.”

B Permissions boundaries are useful to limit what an IAM principal/role can do within an account , but they are not the org-wide enforcement mechanism for “all accounts must stay in these Regions / use only these services.” That’s what SCPs do.

C AWS RAM is for sharing resources (like subnets, Transit Gateway, etc.), not for “sharing roles” across accounts as a governance baseline. Also, the question emphasizes identical permissions in each account, which is best achieved by provisioning roles in each account (StackSets), not attempting to “share” roles.