AWS Well-Architected design considerations

This solution uses the best practices from the AWS Well-Architected Framework which helps customers design and operate reliable, secure, efficient, and cost-effective workloads in the cloud. This section describes how the design principles and best practices of the Well-Architected Framework benefit this solution.

Operational excellence

We architected this solution using the principles and best practices of the operational excellence pillar to benefit this solution.
The Sandbox Studio on AWS solution implements operational excellence through:

Automated operations

Automates sandbox environment setup and configuration.
Deploys standardized policies and guardrails across accounts.
Reduces manual intervention in account lifecycle management.

Event response

Implements automated responses to budget thresholds.
Provides a Cloudwatch Application Insights dashboard for monitoring and alerts.
Enables quick identification and resolution of issues, using predefined CloudWatch Log Insight queries and X-Ray traces.

Standard definitions

Creates consistent Organizational Unit (OU) structure across implementations.
Establishes standardized security policies.
Maintains uniform budget control mechanisms.

Security

We architected this solution using principles and best practices of the security pillar to benefit this solution. The solution implements comprehensive security controls:

Identity and access management

Integrates with AWS IAM Identity Center for centralized access control.
Automatically implements least privilege permissions.
Enforces role-based access across sandbox accounts.

Network security

Isolates sandbox environments from production systems.
Restricts access to internal networks.
Controls network traffic through automated WAF policies.

Data protection

Prevents access to sensitive corporate resources.
Implements service control policies for data protection.
Maintains isolation between sandbox environments.

Reliability

We architected this solution using principles and best practices of the reliability pillar to benefit this solution. The solution ensures reliability through:

Distributed design

Implements multi-account architecture.
Uses AWS Organizations for management.
Maintains separation of concerns across accounts.

Automated recovery

Implements automated resource management.
Enables account recycling and clean-up.
Provides consistent environment configuration.

Change management

Automates policy deployment.
Maintains consistent controls across accounts.
Enables standardized environment updates.

Performance efficiency

We architected this solution using principles and best practices of the performance efficiency pillar to benefit this solution. The solution maintains performance efficiency by:

Resource selection

Allows administrators to specify approved services and Regions.
Enables right-sizing of resources for sandbox environments.
Provides flexibility in resource configuration.

Monitoring

Creates a centralized CloudWatch Application Insights dashboard.
Tracks resource utilization across accounts.
Enables performance optimization through metrics.

Cost optimization

We architected this solution using principles and best practices of the cost optimization pillar to benefit this solution.
The solution optimizes costs through multiple mechanisms:

Resource management

Automatically manage accounts (clean-up or freeze) when budget thresholds are reached.
Freeze: Prevents creation of new resources at budget limits.
Clean-up: Enables account recycling to optimize usage.

Cost controls

Implements multi-tier budget threshold monitoring.
Provides visibility into spending across accounts.
Reduces monthly cost overruns through automated controls.

Note: Identification of cost/budget overrun per account is best effort due to Cost Explorer service limitation.

Resource lifecycle

Manages resource termination based on budget limits and/or lease duration.
Enables account reuse through automated clean-up.
Optimizes account utilization through recycling.

Sustainability

We architected this solution using principles and best practices of the sustainability pillar to benefit this solution.

The solution uses managed and serverless services where possible to minimize the environmental impact.

Overview

Features and Benefits

Use cases

Concepts and definitions

Solution Architecture

AWS Well-Architected design considerations

AWS services in this solution

Account Cleaner components

Account lifecycle - TBCompleted

Supported AWS Regions

Running Costs

Security

Quotas

Choosing the deployment accounts

Prerequisites

AWS CloudFormation templates

Prepare to Launch the Stack

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Data stack

Step 4: Deploy the Compute stack

Step 5: ?????

Create a SAML 2.0 application

Map application attributes

Assign groups to your application

Assign users to groups

Update configuration using AWS AppConfig

Update values in AWS Secrets Manager

Logging into the web UI

User Guide

Manager Guide

Administrator Guide

Monitoring the solution

Software Licence

Investigating accounts in Quarantine state

Resolving clean-up failures

End leases and eject accounts

Uninstall solution stacks

Resources retained after deletion

Delete the custom application in IAM Identity Center

Revision 1.0 - 18/07/2025

Sandbox Studio Terms and Conditions

Running the wizard

Prerequisite #1: AWS Organizations

Prerequisite #2: Service Control Policies (SCPs)

Prerequisite #3: IAM Identity Center

Prerequisite #4: Resource Access Manager

Prerequisite #5: Cloudformation Stacksets

Prerequisite #6: Cost Explorer

Prerequisite #7: IAM Identity Center Custom SAML Application

Prerequisite #8: Lambda Concurrency Limit

Prerequisite #9: Simple Email Service

AWS Well-Architected design considerations

Operational excellence

Security

Reliability

Performance efficiency

Cost optimization

Sustainability