# Create temporary sandbox environments with configurable security and spend monitoring controls Solution overview Publication date: *May 2025. For updates, refer to [CHANGELOG.md](https://github.com/aws-solutions/innovation-sandbox-on-aws/blob/main/CHANGELOG.md) file in the GitHub repository.* The Innovation Sandbox on AWS solution allows cloud administrators to set up and recycle temporary sandbox environments by automating the implementation of security and governance policies, spend management mechanisms, and account recycling preferences through a web user interface (UI). Using the solution, customers can empower their teams to experiment, learn, and innovate with AWS services in production-isolated AWS accounts that are recycled after use. **Note** The solution does not create any new, or close existing AWS accounts; it only allows you to manage existing AWS accounts for sandbox experiments, and recycles accounts to promote reuse. The solution automates the setup of a sandbox Organizational Unit (OU) structure that comes preconfigured with best practices for workload isolation, by automatically deploying a standard set of policies, guardrails, and controls across sandbox accounts. The solution: 1. Enables cost optimization by sending alerts and initiating automated actions when spend reaches budget threshold limits. 1. Enables account recycling by providing the ability to use accounts for a predefined duration or spend threshold, and cleaning up the account at the end of its sandbox use. 1. Limits and controls excessively expensive, or sensitive actions within sandbox accounts. This implementation guide provides an overview of the Innovation Sandbox on AWS solution, its reference architecture and components, considerations for planning the deployment, and configuration steps for deploying the solution to the AWS Cloud. It is intended for solution architects, DevOps engineers, AWS account administrators, and cloud professionals who want to implement Innovation Sandbox on AWS in their environment. Use this navigation table to find answers to these common questions: | If you want to …​ | Read …​ | | --- | --- | | Know the cost for running this solution. The average estimated cost for running this solution in the US East (N. Virginia) Region is **USD \$165.25 per month**. | [Cost](cost.md) | | Understand the security considerations for this solution. | [Security](security-1.md) | | Know how to plan for quotas for this solution. | [Quotas](quotas.md) | | Know which AWS Regions support this solution. | [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions) | | View the instructions to automatically deploy the infrastructure resources (the "stacks") for this solution. | [Deploy the solution](deploy-the-solution.md) | # Features and benefits **Automate the creation of a sandbox environment** Transforms the sandbox setup process with automated deployment of organizational unit (OU) structures that adhere to best practices for workload isolation. **Accelerate environment setup with blueprints** Deploys pre-configured infrastructure to sandbox accounts automatically through CloudFormation StackSets, allowing users to get started with ready-to-use resources. **Enhanced operational efficiency** Reduces administrative overhead by implementing standardized policies, guardrails, and security controls across sandbox accounts automatically, ensuring consistent governance while saving valuable cloud administration time. **Establish cost governance** Maintains better cost control and takes necessary action to reduce unnecessary spend; monitors spend patterns, sends automated alerts at defined thresholds, and restricts access or clean up resources when budget thresholds are approached. **Gain visibility into sandbox usage** Centrally monitors all sandbox accounts, tracks sandbox usage metrics, and makes informed decisions with detailed visibility of sandbox environments using the web User Interface (UI). **Recycle and reuse AWS accounts** Efficiently reuses AWS accounts using a clean-up mechanism that is automatically initiated when the spend or time period reaches predefined limits. This systematic approach ensures that sandbox environments are recycled and ready for new experiments, while minimizing administrative overheads. # Use cases **Development and innovation experiments** Developers who want to build a proof of concept on new AWS services, or run innovation experiments and prove the business value, before moving to a CI/CD pipeline. **Pre-configured development environments** Development teams provide standardized development environments with pre-installed tools, frameworks, and configurations through blueprints, ensuring consistency across team members and reducing manual environment setup. **Train and test GenAI models** Machine learning engineers and data scientists who want to train, test, fine-tune, and establish reinforcement learning on foundation models to improve the model’s accuracy and reduce bias. **Test environment** Quality Assurance/Test engineers who want a disposable and isolated cloud environment to run integration tests, regression tests, reproduce bugs, and test API changes, before pushing tested code to a CI/CD pipeline. **Higher education training labs** Educators, such as Head of Department, professors, and teachers at universities who want to train students by creating and managing disposable cloud environments (classroom labs, exams, and more). **Research and Development (R&D)** Educators at universities, colleges, and high schools or R&D teams at enterprises who want to run cloud research experiments in a controlled environment to verify their hypotheses. **Employee onboarding and training** Training leads at enterprises who want to provide a secure and short-lived cloud environment to deliver hands-on learning, workshops or onboarding experiences for employees. **Hackathons** IT teams (at healthcare companies, investment firms, and other enterprises) who want to run hackathons in AWS accounts owned by them, so that they can host sensitive and proprietary data. **Demo environments** Engineers and solution architects at enterprises who want an environment to run demos. **Software vendors** Companies that sell software and want to stand up time or budget limited demos of their software solutions and make them available to their customers to try. # Concepts and definitions **Sandbox environment** A controlled, isolated environment where teams can experiment with AWS services without impacting production systems. It provides a safe space for learning, testing, and innovation. **Organizational Unit (OU)** A grouping of AWS accounts that allows you to organize accounts into a hierarchy and apply policies. This solution creates dedicated OUs for active and recycled sandbox accounts. **Service Control Policies (SCPs)** Policy documents that specify the maximum available permissions for accounts within an AWS Organization. They help enforce security boundaries and service restrictions across sandbox accounts. **Lease** A lease is a temporary allocation of an AWS account to a user for a specified budget or lease duration to run innovation experiments. Leases can be created through two methods: user-initiated requests (traditional self-service model) or manager-initiated assignments (direct assignment model). **Lease template** A lease template provides the ability to define conditions that govern the use of the account - such as approval for a user to use a given account, budget and threshold actions, lease duration and threshold actions, and template visibility controls. Admins and managers can create lease templates with public or private visibility settings, and sandbox users can request new sandbox leases by choosing from available public templates. Private templates are only accessible to administrators and managers for direct lease assignment purposes. **Blueprint** A registered CloudFormation StackSet that deploys pre-configured infrastructure to sandbox accounts when you provision a lease. Blueprints enable administrators to provide users with ready-to-use environments containing standardized resources, tools, and configurations, eliminating manual setup time and ensuring consistency across sandbox accounts. **Template visibility** A configuration setting that controls whether a lease template appears in the general template listing for user requests. Public templates are visible to all users for self-service lease requests, while private templates are only accessible to administrators and managers for direct lease assignment purposes. **Budget threshold** A predefined customer-defined spending limit that triggers specific actions when reached. The solution uses thresholds to send alerts, stop resources, and prevent new resource creation. **Account recycling** The process of cleaning up and reusing sandbox accounts when they reach customer-defined limits. This helps optimize account management and reduce administrative overhead. **AWS Nuke** [AWS-nuke](https://github.com/ekristen/aws-nuke) is an open-source tool designed for the purpose of cleaning up and deleting AWS resources in a systematic and automated way. **Guardrails** Preventive or detective controls that protect your AWS environment. They help ensure sandbox accounts maintain security, compliance, and operational standards. **Hub Account** A centralized AWS account that hosts the sandbox resources and configuration, and orchestrates actions across sandbox accounts. **Cost Report Group** A configurable identifier used to categorize and aggregate sandbox costs for organizational reporting and chargeback purposes. Cost report groups enable administrators to attribute sandbox usage costs to specific departments, teams, or cost centers, facilitating accurate cost allocation and budget management across the organization. **Permission set** A collection of administrator-defined policies that AWS IAM Identity Center uses to determine a user’s access permissions to AWS accounts. **Resource controls** Mechanisms that manage AWS resource lifecycle, including creation, modification, and termination based on defined policies and budget thresholds. **Least privilege access** A security principle where users and resources are granted the minimum permissions necessary to perform their tasks. The solution enforces this through automated policy deployment. **Note** For a general reference of AWS terms, see the [AWS Glossary](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html).