...
On AWS, we use the S3 backend for Terraform state. We create a separate backend bucket for each AWS account. Terraform state should be encrypted using unique, customer-managed KMS keys. The key for each module's state should reflect that module's path within the infrastructure repository.
You can use the Terraform state backend Cloudformation template to create a secure Terraform state backend for each AWS account. When using Control Tower, you can use customizations for Control Tower to create a Terraform state backend as part of the baseline for each account.
...