Establish an AWS Organizations entity. Implement a single Service Control Policy (SCP) for least privilege access across all accounts. Organize all accounts under a single Organizational Unit (OU). Set up an IAM identity provider for federation with the on-premises AD FS server. Configure a central logging account to receive log events from log-generating services. Activate AWS Config in the central account with conformance packs for all accounts.

Set up an AWS Organizations entity. Activate AWS Control Tower. Review and adjust included controls (guardrails) for SCPs. Assess AWS Config for necessary enhancements. Organize accounts into appropriate OUs. Integrate AWS IAM Identity Center (AWS Single Sign-On) with the on-premises AD FS server.

Create an AWS Organizations entity. Define SCPs for least privilege access. Structure OUs to categorize AWS accounts. Link AWS IAM Identity Center (AWS Single Sign-On) with the on-premises AD FS server. Establish a central logging account for log event collection. Enable AWS Config in the central account with aggregators and conformance packs.

Form an AWS Organizations entity. Activate AWS Control Tower. Evaluate and modify included controls (guardrails) for SCPs. Review AWS Config for necessary updates. Configure an IAM identity provider for federation with the on-premises AD FS server.