AWS Organizations service control policies (SCPs) are designed to enforce permission guardrails across accounts. SCPs define the maximum available permissions for IAM principals in member accounts, regardless of the permissions granted by IAM policies. Because the requirement is to prevent EC2 instance launches without a required tag and to apply the restriction only to accounts within a specific organizational unit, SCPs are the correct control mechanism.

By creating an SCP that denies the ec2:RunInstances action when the CostCenter-Project tag is missing, the CloudOps engineer ensures that no EC2 instance can be launched without the required tag. Attaching the SCP directly to the application OU limits the scope of enforcement to only the accounts that belong to that OU, which satisfies the requirement precisely.

IAM-based solutions such as user groups or roles cannot enforce controls across multiple accounts consistently and can be bypassed by users with sufficient permissions. Attaching the SCP to the root OU would incorrectly apply the restriction to all accounts in the organization, which violates the requirement.

Therefore, attaching a tag-enforcing SCP to the application OU is the correct and least operationally complex solution.