Could you please share some details on how to deal with different AWS accounts, configuring providers accordingly (not relying on environmental tokens) and so on because I think that’s important to mention early? Also in terms of dealing with permissions limiting the blast radius…

Hey Andreas, you may have received an answer in the workshop (if that's what you were following when you posted this question), but the short answer is this is doable by using "explicit" providers, configuring them with the credentials or profile you want to use, and then setting them on your resources. Here's documentation and an example at https://www.pulumi.com/docs/intro/concepts/programming-model/#explicit-provider-configuration.