Overview

Create temporary sandbox environments with configurable security and spend monitoring controls

The Sandbox Studio solution allows cloud administrators to set up and recycle temporary sandbox environments by automating the implementation of security and governance policies, spend management mechanisms, and account recycling preferences through a web user interface (UI). Using the solution, customers can empower their teams to experiment, learn, and innovate with AWS services in production-isolated AWS accounts that are recycled after use.

Note: The solution does not create any new, or close AWS accounts; it only allows you to manage and monitor existing AWS accounts for sandbox experiments, and recycles accounts to promote reuse.

The solution automates the setup of a sandbox Organizational Unit (OU) structure that comes preconfigured with best practices for workload isolation, by automatically deploying a standard set of policies, guardrails, and controls across sandbox accounts. The solution:

Enables cost optimization by sending alerts and initiating automated actions when spend reaches budget threshold limits.
Enables account recycling by providing the ability to use accounts for a predefined duration or spend threshold, and cleaning up the account at the end of its sandbox use.
Limits and controls excessively expensive, or sensitive actions within sandbox accounts.

This implementation guide provides an overview of the Sandbox Studio solution, as architecture overview, considerations for planning the deployment, and configuration steps for deploying the solution to the AWS Cloud. It is intended for solution architects, DevOps engineers, AWS account administrators, and cloud professionals who want to implement Sandbox Studio in their environment.

Overview

Features and Benefits

Use cases

Concepts and definitions

Solution Architecture

AWS Well-Architected design considerations

AWS services in this solution

Account Cleaner components

Account lifecycle - TBCompleted

Supported AWS Regions

Running Costs

Security

Quotas

Choosing the deployment accounts

Prerequisites

AWS CloudFormation templates

Prepare to Launch the Stack

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Data stack

Step 4: Deploy the Compute stack

Step 5: ?????

Create a SAML 2.0 application

Map application attributes

Assign groups to your application

Assign users to groups

Update configuration using AWS AppConfig

Update values in AWS Secrets Manager

Logging into the web UI

User Guide

Manager Guide

Administrator Guide

Monitoring the solution

Software Licence

Investigating accounts in Quarantine state

Resolving clean-up failures

End leases and eject accounts

Uninstall solution stacks

Resources retained after deletion

Delete the custom application in IAM Identity Center

Revision 1.0 - 18/07/2025

Sandbox Studio Terms and Conditions

Running the wizard

Prerequisite #1: AWS Organizations

Prerequisite #2: Service Control Policies (SCPs)

Prerequisite #3: IAM Identity Center

Prerequisite #4: Resource Access Manager

Prerequisite #5: Cloudformation Stacksets

Prerequisite #6: Cost Explorer

Prerequisite #7: IAM Identity Center Custom SAML Application

Prerequisite #8: Lambda Concurrency Limit

Prerequisite #9: Simple Email Service

Overview

Create temporary sandbox environments with configurable security and spend monitoring controls