Using AWS Control Tower you can implement a multi-account scheme, as recommended by best practices, where you can centrally enforce policies (guardrails) while you centralize and protect AWS Cloudtrail logs in a designated logging account.
Make sure your workloads are dividen into multiple accounts leaving a set of core accounts (logging, audit, backups, networking, etc.) that will provide support for all accounts, and a set of (dev-test-prod) per business unit, or workload. If you have “THE production account” start working towards moving workloads to separate accounts to reduce the blast radius on potential security incidents.
The following services are integrated to AWS Organizations (AWS Control Tower uses AWS Organizations) and support delegated administration, therefore, the security team can have visibility about the security and compliance of the whole organization from the security account:
If you have an existing organization you can still enable AWS Control Tower.
If you have all in one account, set up control tower in a new account, and add the account to the organization. It’s not advisable to configure AWS Control Tower on an account that has workloads, as the management account (org-root) is not affected by SCPs, and should not be accessed all the time.
https://aws.amazon.com/controltower/pricing
Note: if you can’t enable AWS Control Tower as you need additional Flexibility / Personaliation of the account, then you can leverage the following solution: Landing Zone Accelerator on AWS