The cleanest design is an AWS Config organization conformance pack deployed centrally. Conformance packs are YAML templates that can include AWS Config managed rules, custom rules, and remediation actions. AWS Config also supports managing conformance packs across all member accounts in an AWS Organizations organization, allowing centralized deployment, update, and deletion. The PutOrganizationConformancePack API deploys a conformance pack across member accounts and can create AWS Config rules and remediation actions without requiring member-account IAM permissions for those individual rule operations. Because the requirement includes four custom rules and five managed rules, the conformance pack must include all nine rules. Deploying only custom rules leaves the managed rules outside the update model. CloudFormation StackSets add unnecessary operational overhead and do not provide the same native organization conformance-pack governance.