Concepts and definitions

Sandbox environment

A controlled, isolated environment where teams can experiment with AWS services without impacting production systems. It provides a safe space for learning, testing, and innovation.

Organizational Unit (OU)

A grouping of AWS accounts that allows you to organize accounts into a hierarchy and apply policies. This solution creates dedicated OUs for active and recycled sandbox accounts.

Service Control Policies (SCPs)

Policy documents that specify the maximum available permissions for accounts within an AWS Organization. They help enforce security boundaries and service restrictions across sandbox accounts.

Lease

A lease is a temporary allocation of an AWS account to a user for a specified budget or lease duration to run innovation experiments.

Account Template

An account template provides the ability to define conditions that govern the use of the account - such as approval for a user to use a given account, budget and threshold actions, lease duration and threshold actions. Admins and managers can create account templates, and sandbox users can request new sandbox leases by choosing from a list of preconfigured account templates.

Budget threshold

A predefined customer-defined spending limit that triggers specific actions when reached. The solution uses thresholds to send alerts, stop resources, and prevent new resource creation.

Account recycling

The process of cleaning up and reusing sandbox accounts when they reach customer-defined limits. This helps optimize account management and reduce administrative overhead.

AWS Nuke

AWS-nuke is an open-source tool designed for the purpose of cleaning up and deleting AWS resources in a systematic and automated way.

Guardrails

Preventive or detective controls that protect your AWS environment. They help ensure sandbox accounts maintain security, compliance, and operational standards.

Hub Account

A centralized AWS account that hosts the sandbox resources and configuration, and orchestrates actions across sandbox accounts.

Permission set

A collection of administrator-defined policies that AWS IAM Identity Center uses to determine a user’s access permissions to AWS accounts.

Resource controls

Mechanisms that manage AWS resource lifecycle, including creation, modification, and termination based on defined policies and budget thresholds.

Least privilege access

A security principle where users and resources are granted the minimum permissions necessary to perform their tasks. The solution enforces this through automated policy deployment.

Overview

Features and Benefits

Use cases

Concepts and definitions

Solution Architecture

AWS Well-Architected design considerations

AWS services in this solution

Account Cleaner components

Account lifecycle - TBCompleted

Supported AWS Regions

Running Costs

Security

Quotas

Choosing the deployment accounts

Prerequisites

AWS CloudFormation templates

Prepare to Launch the Stack

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Data stack

Step 4: Deploy the Compute stack

Step 5: ?????

Create a SAML 2.0 application

Map application attributes

Assign groups to your application

Assign users to groups

Update configuration using AWS AppConfig

Update values in AWS Secrets Manager

Logging into the web UI

User Guide

Manager Guide

Administrator Guide

Monitoring the solution

Software Licence

Investigating accounts in Quarantine state

Resolving clean-up failures

End leases and eject accounts

Uninstall solution stacks

Resources retained after deletion

Delete the custom application in IAM Identity Center

Revision 1.0 - 18/07/2025

Sandbox Studio Terms and Conditions

Running the wizard

Prerequisite #1: AWS Organizations

Prerequisite #2: Service Control Policies (SCPs)

Prerequisite #3: IAM Identity Center

Prerequisite #4: Resource Access Manager

Prerequisite #5: Cloudformation Stacksets

Prerequisite #6: Cost Explorer

Prerequisite #7: IAM Identity Center Custom SAML Application

Prerequisite #8: Lambda Concurrency Limit

Prerequisite #9: Simple Email Service

Concepts and definitions

Sandbox environment

Organizational Unit (OU)

Service Control Policies (SCPs)

Lease

Account Template

Budget threshold

Account recycling

AWS Nuke

Guardrails

Hub Account

Permission set

Resource controls

Least privilege access