How to build a mechanism to govern multiple AWS data locking features?

Background

There is identified need to govern multiple data locking features that AWS Provides in a context of multi-account environment with independent teams. If there is no governance - data locking might be enabled in various AWS accounts (in various regions) causing potential compliance nightmare and related challenges to rollback if data is accidentally locked for multiple years.

It seems the only way to exit from compliance mode data locking is to fully close the related AWS account ( data seems then to be deleted after 90 days, even when locked).

Optimally the use of AWS locking features would be allowed only by exception (after human review of each use-case). Governance mode could be by default allowed for all accounts/resources, but it should be possible to prevent the use of compliance mode (in any AWS service that provide data locking) with SCPs in AWS Organization.

It has been identified at least these three are related operations for data locking:

• backup:PutBackupVaultLockConfiguration
• glacier:CompleteVaultLock
• s3:PutBucketObjectLockConfiguration

Questions

1. To deny all AWS data locking features - what IAM actions need to be denied with SCP - in addition to to the ones above?
2. Is the only way to exit the Backup Vault lock is to close the related AWS account (with 90 days grace period)?
3. How can one confirm the deletion of data related to question above. The assumption is that data remains until grace period has passed (90 days). Does AWS emit some logs (when account is being closed) that prove that data has been actually wiped?
4. How one can list what various data locks are currently in use? Is Cloudtrail the only option?
5. Are there any other best practise to share - to centrally govern the various AWS data locking features?