Overview
Innovation Sandbox on AWS enables cloud administrators to automate the management of temporary sandbox environments by implementing service control policies, spend controls, and account recycling mechanisms. Using this solution, customers can save weeks of administration hours and empower their teams to learn, experiment, and innovate on AWS.
Benefits
Quickly set up your short-lived sandbox environments by automating the deployment of a sandbox organizational unit (OU) structure with nested OUs that guide the sandbox account lifecycle and adhere to workload isolation best practices.
Reduce administrative overhead by implementing standardized service control policies (SCPs) across sandbox accounts automatically, ensuring consistent governance while saving weeks of valuable cloud administration time.
Get better visibility into spend in sandbox accounts and configure automated spend limiting mechanisms that get initiated when usage approaches budget thresholds.
Leverage an intelligent resource clean-up mechanism that is automatically initiated when the spend or time period reaches predefined limits, enabling sandbox accounts to be reusable for new experiments, in accordance with AWS Organizations best practices.
Centrally monitor all sandbox accounts through a web-based UI that offers an easy mechanism for sandbox users to request account leases and be assigned a customer-owned AWS account for sandbox.
Technical details
Deploying this solution with the default parameters builds the following environment in your AWS account. The high-level process flow for the solution components deployed with the AWS CloudFormation templates is as follows:
Step 1
Users access the solution (SAML2.0 application) using AWS IAM Identity Center authentication. You can configure the IAM Identity Center to use its own internal user store, or integrate it with an external identity provider such as Okta or Microsoft Entra ID.
Step 2
The solution is hosted in an HAQM CloudFront distribution. It uses an HAQM Simple Storage Service (HAQM S3) bucket to host and serve the web frontend, including the HTML pages, CSS stylesheets, and the JavaScript code.
Step 3
The web UI calls HAQM API Gateway REST API resources (resource, method, model) to fetch and mutate the solution data. AWS Lambda functions authorize the requests using role-based access, based on identities assigned by solution administrators to user groups in the IAM Identity Center. AWS WAF protects the HAQM API Gateway from common exploits and bots that can affect availability, compromise security, or consume excessive resources.
Step 4
Lambda functions handle the API requests by reading and writing status and configuration data to an HAQM DynamoDB table. These Lambda functions also fetch global configurations from AWS AppConfig to manage solution parameters including lease preferences, account cleanup setting, customer worded "terms of service", and auth configurations.
Step 5
Lambda functions manage the lifecycle of accounts using the AWS Organizations API, and move them between OUs based on the account status. SCPs attached to OUs prevent sensitive-, expensive-, or difficult-to-clean-up services and resources from being used by sandbox users.
Step 6
The solution’s backend includes an event-based architecture built on HAQM EventBridge for routing events. The solution monitors sandbox account leases using Lambda for breaches in configured lease budget and duration thresholds and creates events that produce email notifications using HAQM Simple Email Service and invokes Lambda functions that are responsible for the management of lease and account lifecycle.
Step 7
Accounts going through the onboarding process or leases being terminated will invoke the account cleanup AWS Step Functions, which is responsible for recycling the accounts back into the account pool, ready for reuse.
Step 8
Step Functions runs an AWS CodeBuild project to monitor active account leases and issues actions such as moving an AWS account between OUs, attaching/detaching an IAM Identity Center permission set to the account giving user access or initiating the cleanup of an AWS account, which deletes all user-created resources using AWS Nuke.
Step 9
Users access assigned accounts using the IAM Identity Center access portal. The solution provides a link in the web UI to directly access the AWS account with single sign-on (SSO).
Step 1
Users access the solution (SAML2.0 application) using AWS IAM Identity Center authentication. You can configure the IAM Identity Center to use its own internal user store, or integrate it with an external identity provider such as Okta or Microsoft Entra ID.
Step 2
The solution is hosted in an HAQM CloudFront distribution. It uses an HAQM Simple Storage Service (HAQM S3) bucket to host and serve the web frontend, including the HTML pages, CSS stylesheets, and the JavaScript code.
Step 3
The web UI calls HAQM API Gateway REST API resources (resource, method, model) to fetch and mutate the solution data. AWS Lambda functions authorize the requests using role-based access, based on identities assigned by solution administrators to user groups in the IAM Identity Center. AWS WAF protects the HAQM API Gateway from common exploits and bots that can affect availability, compromise security, or consume excessive resources.
Step 4
Lambda functions handle the API requests by reading and writing status and configuration data to an HAQM DynamoDB table. These Lambda functions also fetch global configurations from AWS AppConfig to manage solution parameters including lease preferences, account cleanup setting, customer worded "terms of service", and auth configurations.
Step 5
Lambda functions manage the lifecycle of accounts using the AWS Organizations API, and move them between OUs based on the account status. SCPs attached to OUs prevent sensitive-, expensive-, or difficult-to-clean-up services and resources from being used by sandbox users.
Step 6
The solution’s backend includes an event-based architecture built on HAQM EventBridge for routing events. The solution monitors sandbox account leases using Lambda for breaches in configured lease budget and duration thresholds and creates events that produce email notifications using HAQM Simple Email Service and invokes Lambda functions that are responsible for the management of lease and account lifecycle.
Step 7
Accounts going through the onboarding process or leases being terminated will invoke the account cleanup AWS Step Functions, which is responsible for recycling the accounts back into the account pool, ready for reuse.
Step 8
Step Functions runs an AWS CodeBuild project to monitor active account leases and issues actions such as moving an AWS account between OUs, attaching/detaching an IAM Identity Center permission set to the account giving user access or initiating the cleanup of an AWS account, which deletes all user-created resources using AWS Nuke.
Step 9
Users access assigned accounts using the IAM Identity Center access portal. The solution provides a link in the web UI to directly access the AWS account with single sign-on (SSO).
- Publish Date