A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU. Which solution will meet this requirement? A. Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU. B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU. C. Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU. D. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.