Docs

Cloud Scoping

How the isolated area is defined within each cloud provider.

Your application lives in a small, isolated area within the customer's cloud account. This page explains what that area looks like on each provider, and how the boundary is drawn.

The requirements are the same everywhere: lightweight to set up, fine-grained enough that your application can't touch anything outside its boundary, and easy for the customer's security team to review.

For Operate Existing, the same boundaries define read-only inventory scope. Alien observes resources in the agreed account, project, resource group, or Kubernetes selector without taking lifecycle ownership.

Azure — Resource Group

A resource group is a container that holds related resources. It's the clearest model — the boundary is explicit and visible in the Azure portal.

The customer creates a resource group for your deployment. All of your application's resources live inside it. Permissions are scoped to the group — Alien can't see or manage anything in other resource groups.

╔═ Customer's Azure Subscription ════════════════════════════╗
║                                                            ║░
║  ┌─ rg-acme-myapp ───────────────────────────────────┐     ║░
║  │                                                   │     ║░
║  │  Container App · Blob Storage · Service Bus       │     ║░
║  │  Key Vault · Managed Identity                     │     ║░
║  │                                                   │     ║░
║  └───────────────────────────────────────────────────┘     ║░
║                                                            ║░
║  Other resource groups — untouched.                        ║░
╚════════════════════════════════════════════════════════════╝░
 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

GCP — Project

A GCP project is a natural isolation boundary. Each project has its own resources, permissions, and billing.

The customer creates a project for your deployment. Alien's permissions are scoped to that project with custom IAM roles generated from Alien's permission sets, resource-level bindings, and IAM Conditions where GCP supports them. Other projects in the customer's organization are invisible.

╔═ Customer's GCP Organization ══════════════════════════════╗
║                                                            ║░
║  ┌─ Project: acme-myapp ────────────────────────────┐      ║░
║  │                                                  │      ║░
║  │  Cloud Run · Cloud Storage · Pub/Sub             │      ║░
║  │  Secret Manager · Service Account                │      ║░
║  │                                                  │      ║░
║  └──────────────────────────────────────────────────┘      ║░
║                                                            ║░
║  Other projects — untouched.                               ║░
╚════════════════════════════════════════════════════════════╝░
 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

AWS — Resource Prefix

AWS doesn't have a built-in container like a resource group or project. Instead, the boundary is defined through a naming prefix — a short, unique string that all of your deployment's resources share.

Alien generates an 8-character prefix for each deployment (e.g. k44e9b72). Every resource is named with this prefix: k44e9b72-worker (Lambda), k44e9b72-data (S3 bucket), k44e9b72-tasks (SQS queue). IAM policies then restrict access to resources matching that prefix — every ARN is scoped to k44e9b72-*.

╔═ Customer's AWS Account ═══════════════════════════════════╗
║                                                            ║░
║  Resources matching prefix "k44e9b72-*":                   ║░
║  ┌─────────────────────────────────────────────────────┐   ║░
║  │                                                     │   ║░
║  │  k44e9b72-worker    (Lambda)                        │   ║░
║  │  k44e9b72-data      (S3 bucket)                     │   ║░
║  │  k44e9b72-tasks     (SQS queue)                     │   ║░
║  │  k44e9b72-secrets   (Secrets Manager)                │   ║░
║  │                                                     │   ║░
║  └─────────────────────────────────────────────────────┘   ║░
║                                                            ║░
║  Other resources — denied by IAM policy.                   ║░
╚════════════════════════════════════════════════════════════╝░
 ░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

Why a prefix instead of tags or a dedicated account? A few reasons:

  • Works everywhere. S3 bucket names, Lambda function names, SQS queue names, Secrets Manager names — all support prefix-based scoping in IAM policies. Not all AWS services support tag-based access control.
  • Lightweight. No need to create a separate AWS account or organization unit per customer. Hundreds of deployments can coexist in the same account, each isolated by prefix.
  • Reviewable. The customer can look at the IAM policy and see exactly which resources the role can touch — every ARN ends with the prefix pattern.

The prefix is generated automatically by Alien. You don't choose it or manage it.

For observe-only AWS setups, a dedicated account is the cleanest boundary. AWS resource discovery uses account-level tagging APIs, so discovery cannot be fully constrained by tag or prefix.

What all three share

The mechanism differs, but the result is the same:

  • Clear boundary — your application's resources are isolated from everything else in the account.
  • Revocable — the customer can remove access at any time by deleting the resource group, project, or IAM role.
  • Reviewable — the customer's security team can inspect exactly what permissions exist before approving.

Alien derives the scoping automatically from your stack definition. You define the resources; Alien generates the correct naming, policies, and role bindings for each cloud.

For Operate Existing, the customer chooses the scope directly: AWS account or prefix, GCP project, Azure resource group, or Kubernetes namespace and selector.

On this page