# Deploy the Solution

To help streamline the setup of Sandbox Studio, we’ve provided an installation script that checks your environment for the necessary prerequisites and guides you through deploying the solution step by step. This is our recommended installation method, as it simplifies the process and reduces the chance of configuration issues. However, if you prefer to install the solution manually, please refer to the manual installation documentation or contact our support team for assistance.

# Running the Installation Wizard

#### Introduction

This wizard has been created to facilitate the installation and deployment of the Sandbox Studio solution in your environment. It automates as many steps as possible and checks for prerequisites before the installation.

#### Running the wizard

1. Login to your AWS **Organisation Management account**.
2. Open a new [CloudShell](https://aws.amazon.com/cloudshell/) console (a link to open CloudShell can be found in the bottom left corner of the AWS console).
3. Ensure you are in the region where you want to install Sandbox Studio.
4. Run the following command:

```bash
bash <(curl -s https://dist.sandboxstudiosoftware.com/install.sh)
```

The following should display:

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-08/scaled-1680-/P7gimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-08/P7gimage.png)

The wizard will guide you through the installation process.

<p class="callout warning">Do not use your root account to run this script as it will fail and does not follow AWS best practices!</p>

#### Prerequisites

The wizard will automatically check for [prerequisites](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/installation-prerequisites "Installation Prerequisites"). If any of the prerequisites are not met, the wizard will display the URL to the right documentation to help you configure your environment. See [Installation Prerequisites](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/installation-prerequisites "Installation Prerequisites") page for more details.

#### Inputs

The installation wizard will ask you to set/confirm a set of input parameters during the installation process:

<table id="bkmrk-input-variable-descr" style="width: 108.095%;"><thead><tr><th class="align-left" style="width: 16.8057%;">**Input Variable**</th><th class="align-left" style="width: 26.5793%;">**Description**</th><th class="align-left" style="width: 10.0119%;">**Input or Confirm**</th><th class="align-left" style="width: 46.7223%;">**Comments**</th></tr></thead><tbody><tr><td style="width: 16.8057%;">Management Account ID</td><td style="width: 26.5793%;">The AWS account ID of the management account (auto-detected by the script).</td><td style="width: 10.0119%;">Confirm</td><td style="width: 46.7223%;">During setup, you will be asked to confirm that you are indeed using the correct **organisation management account**. This ensures Sandbox Studio can set up organisation units and Service Control Policies.</td></tr><tr><td style="width: 16.8057%;">Region</td><td style="width: 26.5793%;">AWS region where Sandbox Studio will be deployed.</td><td style="width: 10.0119%;">Confirm / Input</td><td style="width: 46.7223%;">The script attempts to detect the region from AWS CLI config. If not found, you will be prompted to input one (default `us-east-1`).</td></tr><tr><td style="width: 16.8057%;">Hub Account ID</td><td style="width: 26.5793%;">The account ID that will host Sandbox Studio infrastructure (may be same as management account).</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Must be a 12-digit AWS account ID. If left empty, the management account ID will be used. See [Choosing the hub account](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/choosing-the-hub-account "Choosing the hub account").</td></tr><tr><td style="width: 16.8057%;">Parent OU ID</td><td style="width: 26.5793%;">AWS Organisation Unit ID where Sandbox Studio OUs will be created.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Defaults to the **Root OU ID**, but can be set to any valid parent OU so that Sandbox Studio's OU are created under that OU and inherit existing SCP's if required.</td></tr><tr><td style="width: 16.8057%;">Namespace</td><td style="width: 26.5793%;">Short prefix (3–8 alphanumeric characters) used to name Sandbox Studio resources.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Example: `MySs`. Used as a unique identifier in stack names and IAM groups.</td></tr><tr><td style="width: 16.8057%;">Managed Regions</td><td style="width: 26.5793%;">List of AWS regions where Sandbox Studio should manage accounts/resources.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Comma-separated values (e.g., `us-east-1,eu-west-1`). Defaults to the chosen region. See [Choosing your region(s)](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/choosing-your-regions "Choosing your region(s)").</td></tr><tr><td style="width: 16.8057%;">Admin Group Name</td><td style="width: 26.5793%;">IAM Identity Center group name for Sandbox Studio administrators.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Defaults to `<Namespace>_SsAdminsGroup`. This is the **"Administrators"** group for users who will configure and maintain the Sandbox Studio application.

If you are integrating with an external identity provider such as Microsoft Entra, see [External identity provider setup (Optional)](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/external-identity-provider-setup-optional "External identity provider setup (Optional)").

</td></tr><tr><td style="width: 16.8057%;">Manager Group Name</td><td style="width: 26.5793%;">IAM Identity Center group name for Sandbox Studio managers.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Defaults to `<Namespace>_SsManagersGroup`. This is the **"Managers"** group for users who oversee day-to-day sandbox usage within a department or team.

If you are integrating with an external identity provider such as Microsoft Entra, see [External identity provider setup (Optional)](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/external-identity-provider-setup-optional "External identity provider setup (Optional)").

</td></tr><tr><td style="width: 16.8057%;">User Group Name</td><td style="width: 26.5793%;">IAM Identity Center group name for Sandbox Studio end users.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Defaults to `<Namespace>_SsUsersGroup`. This is the **"Users"** group for users who login to sandbox accounts and use them for development, testing, training, or experimentation. If you are integrating with an external identity provider such as Microsoft Entra, see [External identity provider setup (Optional)](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/external-identity-provider-setup-optional "External identity provider setup (Optional)").

</td></tr><tr><td style="width: 16.8057%;">Identity Center Instance</td><td style="width: 26.5793%;">The IAM Identity Center instance ARN and Identity Store ID used for Sandbox Studio integration.</td><td style="width: 10.0119%;">Confirm</td><td style="width: 46.7223%;">The wizard will list the detected Identity Center instance and ask you to confirm it is the correct one.</td></tr><tr><td style="width: 16.8057%;">Custom Application in Identity Center</td><td style="width: 26.5793%;">The SAML 2.0 application used by Sandbox Studio for authentication.</td><td style="width: 10.0119%;">Confirm / Input</td><td style="width: 46.7223%;">You can either select an existing Identity Center application or the wizard will help you create a new one.</td></tr><tr><td style="width: 16.8057%;">Allowed IP Ranges</td><td style="width: 26.5793%;">CIDR ranges of IP addresses allowed to access the Sandbox Studio API.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Defaults to all IPs (`0.0.0.0/1,128.0.0.0/1`). Restrict to corporate ranges if needed.</td></tr><tr><td style="width: 16.8057%;">Custom Domain</td><td style="width: 26.5793%;">(Optional) A DNS domain for Sandbox Studio instead of the CloudFront URL.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">If used, must configure CloudFront and ACM with this domain, and update Identity Center ACS URL accordingly.</td></tr><tr><td style="width: 16.8057%;">Email From Address</td><td style="width: 26.5793%;">Email address Sandbox Studio will use to send system notifications.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">Must be a verified identity in SES. Example: `sandboxstudio@example.com`.</td></tr><tr><td style="width: 16.8057%;">Admin Users</td><td style="width: 26.5793%;">Initial set of users (by username) to be added to the Admin group in Identity Center.</td><td style="width: 10.0119%;">Input</td><td style="width: 46.7223%;">You will be prompted to enter usernames to grant them full Sandbox Studio admin rights.</td></tr></tbody></table>

#### Deployment time

The deployment of the Sandbox Studio solution with the script should take around 1 hour.

<p class="callout info">Make sure your session timeout is at least 2 hours for during the installation of Sandbox Studio.</p>

# Update Sandbox Studio

##### Updating Made Simple

Updating Sandbox Studio is easier than ever. The update process uses the same [installation script ](https://docs.sandboxstudiosoftware.com/link/89#bkmrk-page-title)you used for the initial setup, making it straightforward and familiar.

##### How It Works

When you run the installation script on a environment with an existing Sandbox Studio installation, the script automatically:

1. **Detects** the previous installation
2. **Gathers** all required configuration information from your current setup
3. **Presents** a summary of what will be updated
4. **Asks for confirmation** before proceeding

#####   


##### Running the wizard

1. Login to your AWS **Organisation Management account**.
2. Open a new [CloudShell](https://aws.amazon.com/cloudshell/) console (a link to open CloudShell can be found in the bottom left corner of the AWS console).
3. Ensure you are in the region where you want to install Sandbox Studio.
4. Run the following command:

```bash
bash <(curl -s https://dist.sandboxstudiosoftware.com/install.sh)
```

1. The following should display:

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/scaled-1680-/3CHimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/3CHimage.png)

##### Confirm existing values

The script will display your current installation details and the updates available. Review this information carefully to ensure everything is correct.

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/scaled-1680-/57Oimage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/57Oimage.png)

##### Select Stacks to Update

You'll be presented with a stack-by-stack selection interface. For each stack, you can choose whether to update it or skip it.

<p class="callout info">**Best Practice:** It is highly recommended to update all stacks to ensure compatibility and access to the latest features and security patches.</p>

[![image.png](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/scaled-1680-/h3timage.png)](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/h3timage.png)

#####  

<p class="callout warning">Note: During update process, the script does not modify your existing configuration (AppConfig), your Identity Center applications, or anything else than the CloudFormation stacks for Sandbox Studio. You can force a reinstall of the solution by adding the flag **--reinstall true** to the installation script</p>

#####  

##### Support

If you encounter any issues during the update process, please contact your Sandbox Studio support team at <support@sandboxstudiosoftware.com> or go to [https://support.sandboxstudiosoftware.com](https://support.sandboxstudiosoftware.com)