I would recommend dedicating an entire AWS account to this. Or, if you have a solid tagging strategy[0], you can craft your IAM policies to only allow Appliku access to resources tagged with a particular tag.
Separate account will be the best strategy. I prefer having separate accounts for every project. Hustle to login between them, but the best isolation that can be between projects.
0 - https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags...