(no title)

Then about 5 years ago, AWS suggested that we use the multi-account strategy. I changed jobs and decided to go with Control Tower, AWS Orgs and the multi-account strategy. I spent more time writing automation to supplement and write terraform and python code to build supporting infrastructure to tie accounts together, enable the proper services and networking in all accounts. The automation for build a new account grew and grew and became a behemoth. There's no API for Control Tower and the process of setting up a new account with MFA enabled and all of the bells and whistles enabled is such a pain in the ass that I consider the AWS multi-account strategy not worth it AT ALL anymore I don't care how much it reduces the "blast zone" it's a monumentally stupid idea.

You should try to put all of your eggs into one basket and manage access to your resources inside of IAM instead. Use tags smartly and you'll thank me in the long run.