Which AWS service enables central application of policy-based controls across multiple accounts?

The AWS service that enables the central application of policy-based controls across multiple accounts is AWS Organizations. This service allows you to manage multiple AWS accounts in a consolidated manner, where you can set policies and governance frameworks for all the accounts within your organization.

AWS Organizations enables you to create organizational units (OUs) and apply Service Control Policies (SCPs) to manage permissions and ensure compliance across the various accounts. This centralized control allows you to establish policies that dictate what actions can be performed by accounts or groups of accounts within the organization. By doing this, you maintain a consistent security posture and compliance framework, ensuring that all accounts adhere to your organization's governance requirements.

The other options represent functionalities that, while beneficial, do not serve the same overarching purpose of central policy management across multiple accounts. AWS Single Sign-On focuses on managing access and identity governance rather than policy enforcement. AWS Control Tower provides a framework and best practices for setting up new accounts but does not primarily handle the centralized application of policy-based controls like Organizations does. AWS IAM (Identity and Access Management) is designed for managing access at the resource level within a single AWS account and does not extend policy management across multiple accounts in the same way Organizations does.