# Plan your deployment
This section describes the [Regions](#supported-aws-regions), [cost](cost.md), [security](security-1.md), and other considerations prior to deploying the solution.
## Supported AWS Regions
Innovation Sandbox on AWS is available in the following AWS Regions. [Learn more](https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html) about enabling regions.
| Region Name | Region Code |
| --- | --- |
| US East (Ohio) | us-east-2 |
| US East (N. Virginia) | us-east-1 |
| US West (N. California) | us-west-1 |
| US West (Oregon) | us-west-2 |
| Africa (Cape Town) | af-south-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| Asia Pacific (Seoul) | ap-northeast-2 |
| Asia Pacific (Osaka) | ap-northeast-3 |
| Asia Pacific (Mumbai) | ap-south-1 |
| Asia Pacific (Hyderabad) | ap-south-2 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |
| Asia Pacific (Jakarta) | ap-southeast-3 |
| Asia Pacific (Melbourne) | ap-southeast-4 |
| Canada (Central) | ca-central-1 |
| Europe (Frankfurt) | eu-central-1 |
| Europe (Zurich) | eu-central-2 |
| Europe (Stockholm) | eu-north-1 |
| Europe (Milan) | eu-south-1 |
| Europe (Spain) | eu-south-2 |
| Europe (Ireland) | eu-west-1 |
| Europe (London) | eu-west-2 |
| Europe (Paris) | eu-west-3 |
| Middle East (UAE) | me-central-1 |
| Middle East (Bahrain) | me-south-1 |
| South America (São Paulo) | sa-east-1 |
Innovation Sandbox on AWS is **not** available in the following AWS Regions:
| Region Name | Region Code |
| --- | --- |
| Asia Pacific (Malaysia) | ap-southeast-5 |
| Asia Pacific (Thailand) | ap-southeast-7 |
| Canada West (Calgary) | ca-west-1 |
| China (Beijing) | cn-north-1 |
| China (Ningxia) | cn-northwest-1 |
| Israel (Tel Aviv) | il-central-1 |
| Mexico (Mexico City) | mx-central-1 |
| AWS GovCloud (US-East) | us-gov-east-1 |
| AWS GovCloud (US-West) | us-gov-west-1 |
For the most current availability of AWS services by Region, see the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
**Important**
**CloudFront Access Logging Limitation**
As of September 2025, CloudFront access logging is automatically disabled in the following regions due to lack of support for standard logging (legacy):
Africa (Cape Town) - `af-south-1`
Asia Pacific (Hong Kong) - `ap-east-1`
Asia Pacific (Hyderabad) - `ap-south-2`
Asia Pacific (Jakarta) - `ap-southeast-3`
Asia Pacific (Melbourne) - `ap-southeast-4`
Canada West (Calgary) - `ca-west-1`
Europe (Milan) - `eu-south-1`
Europe (Spain) - `eu-south-2`
Europe (Zurich) - `eu-central-2`
Israel (Tel Aviv) - `il-central-1`
Middle East (Bahrain) - `me-south-1`
Middle East (UAE) - `me-central-1`
If you deploy the solution in one of these regions, the CloudFront distribution will function normally but will not generate access logs. If access logging is required for your use case, you can manually configure CloudFront Standard Logging V2 after deployment. For more information, refer to the [CloudFront Standard Logging V2 documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/standard-logging.html).
# Choosing the deployment accounts
## Accounts
To deploy this solution, you will need access to these accounts.
**Organizations Management account**
The **AccountPool** stack, deployed into the AWS Organizations management account, is used to manage the lifecycle on sandbox accounts controlled by the solution.
This stack consists of a single IAM role that will be assumed by the Hub stack’s Lambda function and grants minimal required permissions to access data of the Organization. The permissions on this role are least privileged to only allow read actions from Cost Explorer, read actions on the account pool OUs, and move account actions on the account pool OUs. The trust policy on the role only allows for a single Intermediate IAM role from the Compute stack to assume into it.
**IAM IDC account**
The **IAM Identity Center (IDC)** stack deployed into the AWS Account containing the organizations AWS IAM Identity Center instance, is used to manage the solution web UI and sandbox account access.
This stack initializes user groups and corresponding permission sets in the instance that administrators can manually add users to. The IDC stack also contains an IAM Role. The permissions on this role are least privileged to only allow the actions required by the solution. The trust policy on the role only allows for a single Intermediate IAM role from the Compute stack to assume into it.
**Hub account**
The **Data** and **Compute** stacks contain all data, compute, and storage resources for the solution to serve the frontend application, handle API requests, facilitate scans, and manage the account lifecycle.
Select a member account within your AWS Organization to deploy these stacks. This account will have administrative access to the spoke accounts to enable the Account Cleaner component for account recycling operations. Due to these elevated permissions, treat the Hub account as a highly sensitive asset. We strongly recommend using a dedicated account with stringent access controls and limiting the number of users who can access it. Implement robust security measures to protect this account, similar to accounts you would use for your most critical AWS environments.
**Important**
We do not recommend using the Organizations Management account to keep the management account free from operational workloads.
**Sandbox account**
The **SandboxAccount** stack is automatically configured as a service-managed StackSet resource in the AccountPool stack, using the **AccountPool OU** as the deployment target. This stack contains a single **Spoke** role, which is crucial for the account clean-up process. The Spoke role is automatically created by the service-managed StackSet after onboarding the sandbox accounts. It is assumed by compute resources in the Compute stack to run the account clean-up job.
**Important**
These sandbox accounts are strictly intended for non-production usage and should never run production workloads.
## Home Region
Identifying the home Region is crucial for the successful deployment of the ISB solution. For the solution to work as expected:
+ Deploy all four stacks in the same Region.
+ Enable IDC in the same home Region. Identify the Region where IDC is enabled in your AWS Organization, as this will be the home Region for for the ISB solution.
**Note**
The home Region is only for deployment resources. The sandbox accounts can use any Regions that are defined in the managed Regions list (CFN Param).
# Configuring an external identity provider (Optional)
## Group Management
Innovation Sandbox on AWS uses three different user groups that align with the different personas. These groups must be created following your normal process within the external provider. The group names must be exactly the same as they are specified in the IDC CloudFormation Stack parameters.
Personas and corresponding groups:
| Persona | Default Group Name | Responsibility |
| --- | --- | --- |
| Admin | \$1IsbAdminsGroup | The Admin persona is responsible for deploying and managing the solution and managing the AWS accounts used in the solution. |
| Manager | \$1IsbManagersGroup | The Manager persona is responsible for the creation and management of the Lease Templates (Sandbox thresholds and actions) and the Leases (active Sandbox accounts). |
| User | \$1IsbUsersGroup | The User persona is responsible for requesting and using Leases (Sandbox Accounts) |
## User Management
Users will be managed according to your normal process within your provider by adding the appropriate users into the one of the 3 ISB user groups.
Requirements:
+ **Email**: Ensure that the primary email field in the provider is populated with the correct email address.
+ Microsoft Entra: `mail`
+ Okta: `email`
+ The primary email field must be configured within your provider to be passed to IAM Identity Center.
You can confirm that a user’s email attribute has been successfully mapped and passed to the correct field in IAM Identity Center by running the following command in the **IDC Account** (Management or delegated account):
```
aws identitystore list-users --identity-store-id $(aws sso-admin list-instances --query "Instances[0].IdentityStoreId" --output text)
```
You can confirm that the correct email address is populated in the Emails array as shown below. The Email value should be correct and Primary should be set to true.
```
"Emails": [
{
"Value": "example@amazon.com",
"Type": "work",
"Primary": true
}
]
```
## Attribute mapping examples
The attribute mappings within your provider must be configured to map the user’s primary email field (from provider) to `emails[type eq "work"]` (to IAM Identity Center).
| External identity provider | Provider attribute | IAM Identity Center attribute |
| --- | --- | --- |
| Microsoft Entra | mail | emails[type eq "work"] |
| Okta | email | emails[type eq "work"] |
# Control Tower managed organizations
The Innovation Sandbox on AWS solution creates an account pool organizational unit (default: InnovationSandboxAccountPool) when you deploy the Account Pool Stack. This OU is created through AWS Organizations and is not managed by Control Tower. This OU and all nested OUs do not need to be registered with Control Tower.
If you choose to register the OU within Control Tower, or deploy the OU as a nested OU in an already Control Tower-managed OU, the parent OU (InnovationSandboxAccountPool OU), nested OUs, and accounts will appear in a drifted state in the Control Tower console. This is expected behavior because the solution moves accounts between the nested OUs.
# Creating sandbox accounts
The Innovation Sandbox on AWS solution works with existing AWS accounts and does not create new accounts. Create new accounts using AWS Organizations. For more information, refer to [Creating a member account in an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html).
Create the number of accounts that you want to start with in your Account Pool based on the number of expected concurrent users. For example, if you expect 10 concurrent users, create 10 sandbox accounts using AWS Organizations.
**Note**
The size of the account pool can be adjusted at any time. If you are unsure of how many accounts you will need, you can start with a smaller number and expand the pool as necessary ([Adding new accounts to the account pool](administrator-guide.md#new-accounts)). You can also reduce the pool size in the future ([Managing existing accounts](administrator-guide.md#manage-accounts)).
**Note**
If you use accounts that are created or managed from AWS Control Tower, they will show as drifted in the AWS Control Tower console because the solution moves the accounts between OUs.
# Cost
You are responsible for the cost of the AWS services provisioned while running this solution. As of this revision, the cost for running this solution using the single instance deployment option in the US East (N. Virginia) Region is approximately **USD \$165.25 per month**.
**Note**
The cost for running Innovation Sandbox on AWS in the AWS Cloud depends on the deployment configuration you choose. The following examples provide cost breakdown for various deployment configurations in the US East (N. Virginia) Region. AWS services listed in the example tables below are billed (in US\$1) on a monthly basis.
We recommend creating a [budget](https://docs.aws.amazon.com/cost-management/latest/userguide/budgets-create.html) through [AWS Cost Explorer](https://aws.amazon.com/aws-cost-management/aws-cost-explorer/) to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this solution.
## Example cost table
| Deployment type | Small deployment | Medium deployment | Large deployment |
| --- | --- | --- | --- |
| Example | 50 accounts, 30 leases (per month), 10 lease templates | 300 accounts, 150 leases (per month), 80 lease templates | 1000 accounts, 500 leases (per month), 100 lease templates |
| **AWS Services** | Cost (USD) | Cost (USD) | Cost (USD) |
| Amazon DynamoDB | \$10.25 | \$11.20 | \$13.71 |
| AWS Lambda | \$14.41 | \$14.51 | \$14.81 |
| AWS KMS | \$14.91 | \$14.91 | \$14.92 |
| Amazon API Gateway | \$11.05 | \$11.05 | \$11.05 |
| AWS WAF | \$111.18 | \$111.18 | \$111.18 |
| AWS CodeBuild | \$16.75 | \$133.75 | \$1112.50 |
| AWS Step Functions | \$10.18 | \$10.91 | \$13.04 |
| Amazon CloudFront | \$10.21 | \$10.22 | \$10.22 |
| Amazon Simple Email Service | \$10.02 | \$10.11 | \$10.35 |
| AWS CostExplorer | \$17.20 | \$17.20 | \$17.20 |
| **Total Cost per month (USD)** | \$1**\$136.40** | \$1**\$165.25** | \$1**\$1149.20** |
**Important**
This estimate does not include the costs incurred by sandbox account usage or blueprint deployments. Customers are responsible for setting appropriate lease configurations, monitoring spend of sandbox accounts, and considering the cost of resources deployed through blueprints.
**Note**
Blueprint deployments may incur additional costs depending on the resources defined in your CloudFormation StackSets. Consider the cost of blueprint resources when planning your deployment and setting lease budget limits. For example, a blueprint that deploys Amazon RDS databases, Amazon ElastiCache clusters, or Amazon EC2 instances will incur ongoing costs for the duration of the lease.
# Security
When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, visit the [AWS Security Center](https://aws.amazon.com/security/).
## IAM roles
IAM roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. Multiple roles are required to run Innovation Sandbox on AWS and discover resources in AWS accounts.
## IAM Identity Center and SAML authentication
AWS IAM Identity Center provides a central way to manage access to multiple AWS accounts and business applications using SAML 2.0-based authentication. By configuring SAML authentication through IAM Identity Center, you can allow your users to sign in to the solution’s web UI using their existing corporate credentials. This eliminates the need to manage separate user accounts and passwords within the solution.
## AWS Key Management Service
This solution creates four KMS Customer Managed Keys (one for each stack - AccountPool, IDC, Data, and Compute) to encrypt various AWS resources. The encrypted services include CloudWatch Logs, Amazon Simple Queue Service (SQS) queues, EventBridge event buses, Secrets Manager secrets, CodeBuild projects, and DynamoDB tables.
Each CMK is specifically tailored to its stack’s requirements, with appropriate key policies that grant necessary permissions to relevant services and IAM roles. This approach of using separate CMKs per stack follows the principle of separation of concerns and allows for more granular control over encryption permissions across different components of the solution.
## AWS WAF
In this solution, AWS WAF (Web Application Firewall) is implemented to protect the API Gateway endpoints through multiple layers of security controls. The solution creates a regional WAF web ACL that combines four AWS managed rule groups and two custom rules.
The default action of the web ACL is set to **allow** and the rule actions are set to **block**, so any request that does not satisfy all rules will be blocked. This comprehensive WAF configuration helps protect the API Gateway against common web exploits, malicious bots, and unauthorized access while allowing legitimate traffic from approved sources.
**Note**
WAF SizeRestrictions\$1QUERYSTRING Rule Modification\$1
The solution disables the `SizeRestrictions_QUERYSTRING` rule from the `AWSManagedRulesCommonRuleSet` to accommodate legitimate large pagination tokens from the AWS Organizations API. The GET `/accounts/unregistered` endpoint retrieves accounts from AWS Organizations, which can return pagination tokens that exceed the default WAF query string size limit when handling large numbers of accounts (>20).
This modification is necessary for the solution to function properly with large account pools. If you require additional query string size protection for other endpoints, you can manually implement a custom rule that excludes the `/accounts/unregistered` endpoint while applying size restrictions to other API endpoints.
## Amazon CloudFront
This solution deploys a web UI [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket that is distributed by Amazon CloudFront. To help reduce latency and improve security, this solution includes a CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the solution website’s bucket contents. By default, the CloudFront distribution uses TLS 1.2 to enforce the highest level of security protocol. For more information, refer to [Restricting access to an Amazon S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*.
CloudFront activates additional security mitigations to append HTTP security headers to each viewer response. For more information, refer to [Adding or removing HTTP headers in CloudFront responses](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html).
This solution uses the default CloudFront certificate which has a minimum supported security protocol of TLS v1.0. To enforce the use of TLS v1.2 or TLS v1.3, you must use a custom SSL certificate instead of the default CloudFront certificate. For more information, refer to [How do I configure my CloudFront distribution to use an SSL/TLS certificate](https://aws.amazon.com/premiumsupport/knowledge-center/install-ssl-cloudfront/).
## Amazon DynamoDB
All user data stored in DynamoDB is encrypted at rest using customer managed keys (CMK) stored in AWS KMS.
## AWS Lambda
By default, the Lambda functions are configured with the most recent stable version of the language runtime. No sensitive data or secrets are logged. Service interactions are carried out with the least required privilege. Roles that define these privileges are not shared between functions.
## Amazon CloudWatch Alarms
The solution provides CloudWatch Alarms through CloudWatch Application Insights to monitor for Lambda errors, throttling, and execution duration.
To set up SNS notifications to detect changes in these alarms, refer to [Acting on alarm changes](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Acting_Alarm_Changes.html). You can configure additional alarms based on metrics reported by the different services within the solution.
## Log retention and monitoring
By default, Innovation Sandbox retains all compute logs for 90 days in Amazon CloudWatch Logs. AWS recommends retaining security-relevant logs for 10 years to support compliance and forensic analysis requirements. You can modify the default log retention period by adjusting the `cloudWatchLogRetentionInDays` value in the CloudFormation template mapping before deployment.
All logs are encrypted at rest using AWS KMS customer-managed keys and are automatically archived to Amazon S3 for long-term retention following a multi-tier strategy (CloudWatch Logs → S3 Standard → S3 Glacier).
## AWS CloudTrail
AWS CloudTrail is not automatically enabled by the Innovation Sandbox solution. AWS recommends enabling organization-level CloudTrail in your Organization Management Account to monitor API calls and administrative actions across all accounts.
## Amazon S3 security features
The solution uses Amazon S3 for storing cost reports, log archives, and operational data. By default, the solution only enables S3 access logging and versioning on critical buckets to reduce costs from redundant logs. AWS recommends enabling these features on all solution buckets for enhanced security monitoring if required for your compliance needs.
If desired, you can manually enable S3 access logging to monitor all bucket access, S3 versioning to protect against accidental deletion or modification, and S3 event notifications for real-time alerts on critical bucket operations.
## Custom client security considerations
The Innovation Sandbox on AWS API allows certain free-text fields (such as lease template names and descriptions) to contain characters that may lead to cross-site scripting (XSS) vulnerabilities in insecure client implementations. The included React-based web client implements proper security controls and safely handles all user-provided data. If you develop a custom client application that integrates with the solution’s API, ensure your implementation includes appropriate input validation, output encoding, and XSS protection measures following secure coding practices for your chosen technology stack.
# Quotas
Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.
## Quotas for AWS services in this solution
Make sure you have sufficient quota for each of the [services implemented in this solution](aws-services-in-this-solution.md). For more information, refer to [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).
Use the following links to view service quotas. To view the service quotas for all AWS services in the documentation without switching pages, refer to the [Service endpoints and quotas](https://docs.aws.amazon.com/pdfs/general/latest/gr/aws-general.pdf#aws-service-information) page.
| | |
| --- |--- |
| [Amazon EventBridge](https://docs.aws.amazon.com/general/latest/gr/cwe_region.html) | [AWS CodeBuild](https://docs.aws.amazon.com/general/latest/gr/codebuild.html) |
| [Amazon CloudFront](https://docs.aws.amazon.com/general/latest/gr/cf_region.html) | [Amazon API Gateway](https://docs.aws.amazon.com/general/latest/gr/apigateway.html) |
| [AWS AppConfig](https://docs.aws.amazon.com/general/latest/gr/appconfig.html) | [AWS CloudFormation](https://docs.aws.amazon.com/general/latest/gr/cfn.html) |
| [Amazon DynamoDB](https://docs.aws.amazon.com/general/latest/gr/ddb.html) | [AWS IAM Identity Center](https://docs.aws.amazon.com/general/latest/gr/sso.html) |
| [AWS KMS](https://docs.aws.amazon.com/general/latest/gr/kms.html) | [AWS Lambda](https://docs.aws.amazon.com/general/latest/gr/lambda-service.html) |
| [Amazon CloudWatch Logs](https://docs.aws.amazon.com/general/latest/gr/cwl_region.html) | [AWS Organizations](https://docs.aws.amazon.com/general/latest/gr/ao.html) |
| [AWS RAM](https://docs.aws.amazon.com/general/latest/gr/ram.html) | [Amazon S3](https://docs.aws.amazon.com/general/latest/gr/s3.html) |
| [AWS Secrets Manager](https://docs.aws.amazon.com/general/latest/gr/asm.html) | [Amazon SQS](https://docs.aws.amazon.com/general/latest/gr/sqs-service.html) |
| [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/general/latest/gr/ssm.html#parameter-store) | [AWS Step Functions](https://docs.aws.amazon.com/general/latest/gr/step-functions.html) |
## AWS CloudFormation quotas
Make sure you are aware of AWS CloudFormation quotas when [launching the stack](launch-the-stack.md) in this solution. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this solution successfully. For more information, refer to [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation User’s Guide*.
## AWS Lambda quotas
Your account has an AWS Lambda concurrent execution quota of 1000. If the solution is used in an account where there are other workloads running and using Lambda, set this quota to an appropriate value. This value is adjustable; for more information, see [AWS Lambda quotas](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html) in the *AWS Lambda User’s Guide*.
## AWS CodeBuild quotas
Make sure you are aware of [AWS CodeBuild quotas](https://docs.aws.amazon.com/codebuild/latest/userguide/limits.html) when [launching the stack](launch-the-stack.md) in this solution.
**Note**
By default, concurrent CodeBuild quotas are low. To efficiently handle account recycling with this solution, we recommend you request a higher concurrent build quota before you launch the solution.