A company uses AWS Organizations to manage its AWS environment.

Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

To ensure users can launch instances only from approved AMIs, the control must be enforced at authorization time, not after the fact. An IAM policy with a condition that evaluates the resource tags on the AMI is the correct method. By using an aws:ResourceTag/ApprovedAMI condition (paired with allowing ec2:RunInstances only when the chosen AMI has the required tag/value), the organization can prevent launches from untagged or unapproved images. This implements preventative control and aligns with least privilege.

Option A (Organizations tag policy) is not an enforcement mechanism for EC2 API authorization; tag policies primarily help standardize tagging and report compliance rather than block API calls. Option C (AWS Config required-tags) evaluates resources for compliance after creation and cannot reliably prevent a launch at the time of the API call. Option D is unrelated; GuardDuty detections do not enforce AMI usage policy.