A technology company has multiple production accounts grouped into a production organizational unit $($OU$)$ in AWS Organizations. The company wants to prevent all AWS Identity and Access Management $($IAM$)$ users in the production accounts from deleting AWS CloudTrail logs$.$ How can a system administrator enforce this restriction? Create a tag policy and attach it to the production accounts. Create an IAM policy and attach it to each IAM user in the production accounts. Create a service control policy $($SCP$),$ and attach it to the production OU$.$ Create an Amazon S$3$ bucket policy and associate with all buckets containing AWS CloudTrail logs$.$