You can use separate AWS accounts for Digger locks and target infrastructure.
If you only pass
AWS_SECRET_ACCESS_KEYenv vars, same account will be used for both
If in addition you also pass
DIGGER_AWS_SECRET_ACCESS_KEYvars then those will be used for Digger locks, and the first pair will be used as target account