S3 + DynamoDB is the right move, but honestly the real win is splitting state by environment and ownership. One monolithic state file across three teams is a recipe for conflicts and accidental rollbacks.
What actually saved us: separate Terraform workspaces per team, remote state in S3, and strict IAM policies so teams can't touch each other's infrastructure. Added a pre-commit hook to catch credential leaks before they hit Git.
The credentials thing never stops being a problem though. I've seen it happen even with remote state. Consider using something like Vault or AWS Secrets Manager for anything sensitive, not Terraform variables.