Related to above: policy packs don't use the creds in a resource's provider property. Is this something that could reasonably happen? I can raise an issue about it, if it's fixable.
I applied a policy pack to a stack where all the resources are configured to use a provider that is associated with a different AWS account than my default AWS_PROFILE points to.
It seemed to mostly work, reporting a few (correct) validation advsories about bucket logging.
However it also threw an error (a stack trace, not a normal crossguard error) reporting that it could not find an ACM certificate (which is in the stack's account) when looking in my AWS_PROFILE's account.
When I changed my AWS_PROFILE to match the stack's resources, the error went away.
I presume that this means if I had certificates in two accounts in a single stack, there is no way that a policy pack could be successfully applied.