I am planning to deploy dev and prod stacks to separate aws accounts. The environments will also have separate stacks. What would be the best way to enforce that dev stacks (there could be many of these) go to the dev account and that the prod stack (of which there should be at most one) goes to the prod aws account? The only thing I can think of is using policy packs. In terraform you would achieve this by having separate provider files for example. Is anybody else doing this in a better way? Or am I wrong in the entire approach?

The simplest thing is just setting the AWS provider configuration via stack configuration. Then only the prod stack would use the pros account a configuration, and similar for dev. Is there some aspect of what you want to ensure that this does not achieve? There are several other tools/patterns you can use - but depend a bit on more details of what you want to accomplish.

right. I just found this: https://www.pulumi.com/docs/intro/cloud-providers/aws/#configuration, which seems to be exactly what you suggest/what tf does. and it does seem like the correct way, I will try it now. Thank you!