A company uses AWS CloudFormation to deploy IAM resources within accounts that AWS Control Tower...

Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):

The security requirement is preventive: “prevent the deployment” of IAM roles that contain an overly permissive inline policy (Allow on Action:* and Resource:*). Preventive enforcement should occur at deployment time so noncompliant IAM resources are blocked before they exist. In a Control Tower-governed environment where resources are provisioned through CloudFormation, the most appropriate mechanism is a proactive control that evaluates templates and denies noncompliant stack operations.

Option A matches this intent. Control Tower proactive controls are designed to provide preventative guardrails by checking resource configurations (including Infrastructure as Code deployments) against defined rules and blocking deployments that violate policy. This stops risky IAM roles from being created in the first place, which is preferable to after-the-fact detection and cleanup.

Options B, C, and D are detective or reactive patterns. Detective controls (and AWS Config rules) can identify noncompliance after resources are created, but that does not “prevent deployment.” Even if remediation is automated (Option C), there is still a window where an overly permissive role exists and could be assumed or exploited. Option D only notifies, which is insufficient. Option B suggests deleting policies on deployment, but Control Tower detective controls are not intended to automatically delete deployed IAM policies; they primarily detect and report drift/noncompliance.

Therefore, A is the best solution because it enforces the requirement proactively by blocking noncompliant CloudFormation deployments, maintaining a stronger security posture and reducing operational burden associated with detection and remediation.