Running the wizard

Introduction

This wizard has been created to facilitate the installation and deployment of the Sandbox Studio solution in your environment. It automates as many steps as possible and checks for prerequisites before the installation.

Prerequisites

The wizard will automatically check for prerequisites. If any of the prerequisites are not met, the wizard will display the URL to the right documentation to help you configure your environment.

Those are the variables you will have to set/confirm during the installation:

	Description	Input or Confirm	Comments
Management Account ID	Account ID of the Management Account of your organisation.	Confirm only	You don't need it per say as the wizard should be executed from this account anyway, but the wizard is going to ask you to confirm the account is the correct management account.
Hub Account ID	The AWS Account ID of the "hub" account for the solution.	Input*	Best practice is to have a separate AWS Account to act as the "hub" for SandboxStudio.
Organization ID	ID of the AWS organisation used for the installation.	Confirm only	Should be the organisation where the Management Account resides
IAM Identity Center instance	ID of the IAM Identity Center Instance	Confirm only
IAM Identity Center SAML Application	Details of the custom IDC application	Confirm / Input	The wizard will ask you to select the custom IdC application if you have already set one up. Otherwise, the script will guide you through the creation of this application.
Application namespace	Prefix to add before SandboxStudio resources	Confirm / Input	Default: MySs
Organisation Parent ID	ID of the Organisational Unit where you want the Sandbox Studio OUs to be created	Input*	Default: Root OU We strongly recommend having a dedicated Organisational Unit for Sandbox Studio.
AWS Regions	List of regions that Sandbox Studio will manage	Confirm / Input	Comma separated list of values. Those are the regions monitored and managed by the Sandbox Studio. ie: us-east-1,us-east-2,ap-southeast-1 Default: Region where Sandbox Studio is deployed into
Admin Group Name	List of the IdC group name from Sandbox Studio administrators	Confirm / Input	Default: <NAMESPACE>_SsAdminsGroup ie: MySs_SsAdminsGroup Note: Should you want to manage your groups within a third-party Identity Provider, you will need to create this group in your IdP.
Managers Group Name	List of the IdC group name from Sandbox Studio managers	Confirm / Input	Default: <NAMESPACE>_SsManagersGroup ie: MySs_SsManagersGroup Note: Should you want to manage your groups within a third-party Identity Provider, you will need to create this group in your IdP.
Users Group Name	List of the IdC group name from Sandbox Studio users	Confirm / Input	Default: <NAMESPACE>_SsUsersGroup ie: MySs_SsUsersGroup Note: Should you want to manage your groups within a third-party Identity Provider, you will need to create this group in your IdP.
Allowed IP Ranges	Comma-separated list of CIDR ranges for API access	Confirm / Input	Default: 0.0.0.0/1,128.0.0.0/1

Input*: Indicates fields that are mandatory for you to fill in.

In case you have not created the SAML custom application yet, the wizard will also prompt you for the following:

	Description	Input or Confirm	Comments
Application name	Name of the custom SAML application to be created	Confirm / Input	Default: Sandbox Studio
Application Description	Description of the custom SAML application to be created	Confirm / Input	Default: Sandbox Studio allows users to access temporary AWS accounts

Installation

wget https://sandbox-studio-software-dist.s3.us-east-1.amazonaws.com/versions/1.0.0/install_sandbox_studio.sh
chmod +x install_sandbox_studio.sh
./install_sandbox_studio.sh

The following should display:

The wizard will guide you through the installation. Enjoy !

Overview

Features and Benefits

Use cases

Concepts and definitions

Solution Architecture

AWS Well-Architected design considerations

AWS services in this solution

Account Cleaner components

Account lifecycle - TBCompleted

Supported AWS Regions

Running Costs

Security

Quotas

Choosing the deployment accounts

Prerequisites

AWS CloudFormation templates

Prepare to Launch the Stack

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Data stack

Step 4: Deploy the Compute stack

Step 5: ?????

Create a SAML 2.0 application

Map application attributes

Assign groups to your application

Assign users to groups

Update configuration using AWS AppConfig

Update values in AWS Secrets Manager

Logging into the web UI

User Guide

Manager Guide

Administrator Guide

Monitoring the solution

Software Licence

Investigating accounts in Quarantine state

Resolving clean-up failures

End leases and eject accounts

Uninstall solution stacks

Resources retained after deletion

Delete the custom application in IAM Identity Center

Revision 1.0 - 18/07/2025

Sandbox Studio Terms and Conditions

Running the wizard

Prerequisite #1: AWS Organizations

Prerequisite #2: Service Control Policies (SCPs)

Prerequisite #3: IAM Identity Center

Prerequisite #4: Resource Access Manager

Prerequisite #5: Cloudformation Stacksets

Prerequisite #6: Cost Explorer

Prerequisite #7: IAM Identity Center Custom SAML Application

Prerequisite #8: Lambda Concurrency Limit

Prerequisite #9: Simple Email Service

Running the wizard

Introduction

Prerequisites

Installation