| **Capability** | **What It Does** | **Benefit** |
|---|---|---|
| **Instant Account Access** | - Launch AWS sandbox accounts in seconds with all required configurations already applied. - Accounts are ready for use immediately without any manual setup. | - Start projects right away without waiting for environments to be built. - Enable rapid experimentation, testing, or proof-of-concept work. |
| **Stay on Budget** | - Define spending limits for each account so costs are controlled automatically. - Receive alerts in real time before spending thresholds are exceeded. | - Prevent budget overruns before they happen. - Keep sandbox activity predictable and aligned with financial goals. |
| **Simplified Account Cleanup** | - Automatically remove all deployed resources when an account reaches its budget or time limit. - Reset the account back to a clean, ready-to-use state. | - Reduce manual cleanup effort and free up team time. - Ensure accounts are always safe to reuse for the next activity. |
| **Built-in Security** | - Apply service control policies (SCPs) to restrict services, regions, or actions. - Configure IAM permissions automatically for each sandbox account. | - Enforce security and compliance rules without manual setup. - Reduce the risk of unauthorised access or unsafe configurations. |
| **Flexible Permissions** | - Assign role-based IAM permissions tailored to each account type. - Limit user access to only the resources and actions they need. | - Prevent accidental or unwanted changes to environments. - Match account access precisely to each team member’s responsibilities. |
| **Ready-to-Launch Environments** | - Pre-provision AWS accounts with infrastructure for specific events or learning activities. - Perfect for hackathons, training workshops, and tutorials. | - Eliminate setup delays before events begin. - Provide a consistent, ready-made environment for participants. |
| **Controlled Access** | - Allow managers to oversee and manage specific accounts or groups. - Define permissions in detail to control exactly who can do what. | - Maintain a clear hierarchy of control across accounts. - Balance flexibility with governance requirements. |
| **Easy Management** | - Manage all sandbox accounts from a single, centralised dashboard. - Interface is designed to be simple for both technical and non-technical users. | - Give all team members the ability to manage sandboxes confidently. - Reduce reliance on technical specialists for basic account tasks. |
| **Term / Concept** | **Description** |
| Account Recycling | The process of **cleaning and reusing sandbox accounts** after they hit budget or time limits. This reduces AWS account sprawl, optimises resource use, and minimises administrative work by resetting accounts for new users. |
| Account Template | A **preconfigured set of sandbox rules and settings** that define how an account can be used. Templates can include approval requirements, budgets, alert thresholds, lease durations, and automatic enforcement actions. Admins and managers create templates, and users request new sandbox leases by selecting from the available templates. |
| AWS Nuke | An **open-source automation tool** that systematically deletes AWS resources across an account. It is used during account recycling to ensure no residual resources or configurations remain before reassigning the account. |
| Budget threshold | A **predefined spending limit** set by the customer. When spending reaches this threshold, Sandbox Studio can trigger automated actions such as sending alerts, stopping running resources, or blocking new deployments to prevent budget overruns. |
| Guardrails | **Preventive and detective controls** that help maintain security, compliance, and operational standards within sandbox accounts. Guardrails can include service restrictions, security configurations, and automated checks that detect or prevent policy violations. |
| Hub Account | A **centralised AWS account** used by Sandbox Studio to **coordinate** sandbox operations. The hub hosts shared resources, enforces configuration, and orchestrates automation across all sandbox accounts. |
| Lease | A **temporary allocation of an AWS account** to a user for a set time or budget. During the lease period, the user can run experiments or projects. When the lease expires, the account is reclaimed or recycled according to predefined rules. |
| Organisation Management Account | The **management account** is the top-level account in an AWS Organisation. It is automatically created when you set up the organisation and has full administrative control over all member accounts. |
| Organisational Unit (OU) | A **logical grouping of AWS accounts** within AWS Organisations that lets you organise accounts in a hierarchy and apply governance policies. Sandbox Studio creates separate OUs for active sandbox accounts and for recycled (cleaned and reusable) accounts, simplifying management and policy enforcement. |
| Permission set | A **collection of IAM Identity Center permissions** that define what a user can do within an AWS account. Permission sets are centrally managed and applied to users or groups to ensure consistent, controlled access. |
| Resource controls | Automated policies and mechanisms that manage the lifecycle of AWS resources. These controls enforce creation limits, modification rules, and automated cleanup based on budgets, time limits, and security requirements. |
| Sandbox environment | A **controlled, isolated AWS environment** that allows teams to experiment, test, and learn without affecting production systems. Sandboxes provide a safe space to try new services, prototype solutions, or run training exercises, with built-in limits and guardrails to prevent accidental overuse or security risks. |
| Service Control Policies (SCPs) | **Organisation-wide permission boundaries** that define the maximum available AWS permissions for accounts within an OU. SCPs are used to enforce consistent security, restrict high-risk services, and ensure sandbox accounts cannot bypass established rules. |
| **AWS Service** | **Description** |
|---|---|
| [Amazon CloudFront](https://aws.amazon.com/cloudfront/) | Acts as the **entry point** into the application. It fronts both the static website (hosted in Amazon S3) and the API Gateway, ensuring secure and efficient content delivery. |
| [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) | Manages **all user access** to the solution. Every user has an account in IAM Identity Center, where access permissions and group memberships are defined. |
| [AWS AppConfig](https://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html) | Stores **global limits and application settings**, allowing configuration updates without code changes. Used across multiple parts of the solution. |
| [AWS Organisations](https://aws.amazon.com/organizations/) | Hosts all **organisational units (OUs)** used to manage sandbox accounts. The solution places accounts in different OUs depending on their state in the sandbox lifecycle. |
| [Amazon RDS](https://aws.amazon.com/products/databases/) | Provides a **PostgreSQL database** for storing structured data such as account templates and lease records. |
| [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) | Securely stores **private keys for authentication** and database credentials used by the application. |
| [AWS Lambda](https://aws.amazon.com/lambda/) | Runs **all backend compute** for the application using a serverless architecture, avoiding the need for containers or virtual machines. |
| [AWS CodeBuild](https://aws.amazon.com/codebuild/) | Runs **pre-launch tasks** (such as deploying resources into new accounts) and **cleanup tasks** (such as deleting resources after a sandbox lease expires). |
| [Amazon S3](https://aws.amazon.com/s3/) | Hosts the **main static website** for the application. |
| [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms/) | Uses **customer-managed keys** to encrypt various elements of the solution. |
| [Amazon Simple Queue Service (Amazon SQS)](https://aws.amazon.com/sqs/) | Handles **asynchronous events** such as bulk account setup or cleanup operations. |
| [AWS Systems Manager](https://aws.amazon.com/systems-manager/) | Uses AWS Systems Manager **Parameter Store** to store **installation-time configuration variables** that need to be shared across different CloudFormation stacks in the solution. |
| [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) | Captures **all application logs and system metrics**, allowing administrators to monitor system health and troubleshoot issues. |
| **Service** | **Certifications** |
|---|---|
| **Amazon CloudFront** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, ISO 27001/17/18, FedRAMP |
| **AWS IAM Identity Center** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, IRAP, ISO 27001/17/18 |
| **AWS AppConfig** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, ISO 27001/17/18, FedRAMP |
| **AWS Organizations** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, ISO 27001/17/18 |
| **Amazon RDS** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA/HITECH, ISO 27001/17/18, FedRAMP, GDPR |
| **AWS Secrets Manager** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, ISO 27001/17/18, ISO 9001 |
| **AWS Lambda** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, FedRAMP, ISO 27001/17/18 |
| **AWS CodeBuild** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, FedRAMP, ISO 27001/17/18 |
| **Amazon S3** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA/HITECH, ISO 27001/17/18, FedRAMP, GDPR |
| **AWS Key Management Service (KMS)** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, FedRAMP, ISO 27001/17/18, FIPS 140-3 |
| **Amazon Simple Queue Service (SQS)** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, ISO 27001/17/18, FedRAMP |
| **AWS Systems Manager** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, FedRAMP, ISO 27001/17/18 |
| **Amazon CloudWatch** | SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, FedRAMP, ISO 27001/17/18 |
| **Role name** | **Account created in** | **Purpose** | **Can be assumed by** |
| OrgMgtRole - *SandboxStudio-{Namespace}-OrgMgtRole* | Management Account | For operations on the org management account (Move accounts between OUs, etc.) | IntermediateRole in Hub Account |
| IntermediateRole - *SandboxStudio-{Namespace}-IntermediateRole* | Hub Account | For functions, step functions, etc to assume to then be able to assume the Org Management Role | Roles starting with SandboxStudio-Compute-\* and SandboxStudio-API-\* |
| IdcRole - *SandboxStudio-{Namespace}-IdcRole* | Management Account | For operations in Identity Center | IntermediateRole in Hub Account |
| SandboxAccountRole - *SandboxStudio-{Namespace}-SandboxAccountRole* | Member accounts | For Hub Accounts to control member accounts | IntermediateRole in Hub Account |
CodeBuildDeployRole | Member accounts | To allow launch templates in member accounts | Step function to create launch templates |
| LaunchTemplateExternalAccessRole | Hub Account | Allows access to S3 buckets in external accounts | CodeBuildDeployRole |
Secret name | Description | Rotated? |
|---|---|---|
/SandboxStudio/Sandbox/Auth/IdpCert | IAM Identity Center Certificate of the Sandbox Studio SAML 2.0 custom app | No |
/SandboxStudio/Sandbox/Auth/JwtSecret | The secret for JWT used by Sandbox Studio | Automatically, every 30 days |
/SandboxStudio/Sandbox/RDS/Credentials | Credentials for RDS PostgreSQL instance for SandboxStudio | Not automatically - *Planned for next Sandbox Studio releases* |
/SandboxStudio/Sandbox/SMTP/Credentials | SMTP Credentials for Sandbox Studio (Only use if Sandbox Studio is configured to send notifications using SMTP) | No |
Sandbox Studio uses JWT Token for authentication mechanism. As part of the solution, and to ensure higher standards of security, the JWT Secret is rotated every 30 days.
##### ##### Encryption keys Sandbox Studio creates the following KMS keys:Aliases | Key type | Key spec | Key usage |
|---|---|---|---|
- | Symmetric | SYMMETRIC_DEFAULT | Encrypt and decrypt |
SandboxStudio/Sandbox/Sandbox-SandboxStudio-Data | Symmetric | SYMMETRIC_DEFAULT | Encrypt and decrypt |
- | Symmetric | SYMMETRIC_DEFAULT | Encrypt and decrypt |
SandboxStudio/Sandbox/Sandbox-SandboxStudio-Compute | Symmetric | SYMMETRIC_DEFAULT | Encrypt and decrypt |
SandboxStudio/Sandbox/Sandbox-SandboxStudio-API | Symmetric | SYMMETRIC_DEFAULT | Encrypt and decrypt |
Sandbox Studio S3 Buckets use Amazon-Managed server-side encryption.
##### # Data stored (and where) #### Overview Sandbox Studio provisions a single-AZ database by default (db.t4g.micro). You can modify the database size according to your requirements.**Why Sandbox Studio needs it**: Sandbox Studio creates and manages sandbox accounts dynamically. AWS Organisations provides the framework to programmatically create new accounts, apply consistent policies, and maintain governance across all sandbox environments.
Please refer to this link to learn how to use AWS Organisations: [https://docs.aws.amazon.com/organizations/latest/userguide/orgs\_tutorials\_basic.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html) --- #### 2. Service Control Policies (SCPs) Ensure you have enabled Service Control Polices within your AWS Organisation. > Service control policies (SCPs) are a type of organisation policy that you can use to manage permissions in your organisation. SCPs offer central control over the maximum available permissions for the IAM users and IAM roles in your organisation. SCPs help you to ensure your accounts stay within your organisation’s access control guidelines. SCPs are available only in an organisation that has [all features enabled](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html). SCPs aren't available if your organisation has enabled only the consolidated billing features. For instructions on enabling SCPs, see [Enabling a policy type](https://docs.aws.amazon.com/organizations/latest/userguide/enable-policy-type.html). [\[1\]](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)**Why Sandbox Studio needs it**: SCPs allow setting up guardrails and security boundaries for sandbox accounts, preventing users from accessing restricted services or regions and maintain a safe experimentation environment.
Refer to this page to learn how to enable SCPs: [https://docs.aws.amazon.com/organizations/latest/userguide/orgs\_manage\_policies.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html) --- #### 3. AWS IAM Identity Center Ensure you have enabled AWS IAM Identity Center in your AWS Organisation. **Note:** Sandbox Studio requires an [Organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/organization-instances-identity-center.html) of IAM Identity Center to be configured in your AWS environment. > IAM Identity Center is built on top of AWS Identity and Access Management (IAM) to simplify access management to multiple AWS accounts, AWS applications, and other SAML-enabled cloud applications. In IAM Identity Center, you create, or connect, your workforce users for use across AWS. You can choose to manage access just to your AWS accounts, just to your cloud applications, or to both. You can create users directly in IAM Identity Center, or you can bring them from your existing workforce directory. With IAM Identity Center, you get a unified administration experience to define, customize, and assign fine-grained access. Your workforce users get a user portal to access their assigned AWS accounts or cloud applications. [\[1\]](Note:%20Sandbox%20Studio%20requires%20an%20Organization%20instance%20%5B2%5D%20of%20IAM%20Identity%20Center%20to%20be%20configured%20in%20your%20AWS%20environment.)**Why Sandbox Studio needs it**: Users need seamless access to their assigned sandbox accounts. Identity Center provides single sign-on capabilities and centralised user management, allowing Sandbox Studio to grant and revoke access to sandbox environments automatically.
Refer to this page to learn how to enable IAM Identity Center: [https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/enable-identity-center.html) --- #### 4. Resource Access Manager (RAM) Enable resource sharing in your AWS organisation using AWS Resource Access Manager (RAM). > AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types. You can use AWS RAM to share resources with other AWS accounts. This eliminates the need to provision and manage resources in every account. When you share a resource with another account, that account is granted access to the resource and any policies and permissions in that account apply to the shared resource. [\[1\]](https://aws.amazon.com/ram/faqs/)**Why Sandbox Studio needs it**: Sandbox Studio needs to share common resources (like [SSM Parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)) across multiple sandbox accounts efficiently, reducing duplication and management overhead.
Refer to this page to learn how to enable Resources Sharing within your AWS organisation: [https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) --- #### 5. CloudFormation StackSets Ensure you have activated trusted access for CloudFormation Stack sets. > AWS CloudFormation StackSets extends the capability of stacks by allowing you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. Using an administrator account, you define and manage a CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts across specified AWS Regions. [\[1\]](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)**Why Sandbox Studio needs it**: Sandbox Studio uses StackSets to deploy consistent infrastructure templates across multiple sandbox accounts simultaneously, enabling standardised environment provisioning and updates.
Refer to this page to learn how to activate trusted access for StackSets with AWS Organisations: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html) --- #### 6. Cost Explorer Ensure that you have enabled Cost Explorer in your organisation management account. > AWS Cost Explorer has an easy-to-use interface that lets you visualise, understand, and manage your AWS costs and usage over time. [\[1\]](https://aws.amazon.com/aws-cost-management/aws-cost-explorer)**Why Sandbox Studio needs it**: Sandbox Studio requires cost monitoring to track spending across sandbox accounts, implement cost controls, generate usage reports, and trigger cleanup actions when cost thresholds are exceeded.
Refer to this page to learn how to enable Cost Explorer: [https://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html) --- #### 7. Lambda Concurrency Limit Ensure that your AWS Lambda concurrency limit is adequate; most accounts default to 1000 (which is usually more than sufficient), but in new accounts this limit may be set to 10, in which case you should raise a service quota request to increase it via [AWS Service Quotas](https://console.aws.amazon.com/servicequotas/home/services/lambda/quotas/L-B99A9384). **Note:** This limit increase should be applied to the **Hub Account**. > Concurrency is the number of in-flight requests that your AWS Lambda function is handling at the same time. For each concurrent request, Lambda provisions a separate instance of your execution environment. As your functions receive more requests, Lambda automatically handles scaling the number of execution environments until you reach your account's concurrency limit. By default, Lambda provides your account with a total concurrency limit of 1,000 concurrent executions across all functions in an AWS Region. To support your specific account needs, you can request a quota increase and configure function-level concurrency controls so that your critical functions don't experience throttling. [\[1\]](https://docs.aws.amazon.com/lambda/latest/dg/lambda-concurrency.html) > > If the Applied quota value is less than 1000, select the **Request quota increase** button to request an increase to this value to at least 1000 before deploying the solution. [\[2\]](https://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/prerequisites.html) Refer to this page to learn how to request the quota increase for the concurrency limit. [https://repost.aws/knowledge-center/lambda-concurrency-limit-increase](https://repost.aws/knowledge-center/lambda-concurrency-limit-increase) --- # Choosing your region(s) When setting up Sandbox Studio, choosing the correct AWS Regions is an important step. The regions you select determine where the solution is deployed, which regions users can access, and how accounts are cleaned up. --- #### 1. Identify Your Home Region In an AWS Organisation setup, **IAM Identity Center (IDC)** is enabled in one specific Region. This Region becomes your **home Region** and must be used for deploying Sandbox Studio: - **Organisation Management Account** – deploy into this Region. - **Hub Account** – deploy into this same Region.All core solution stacks (AccountPool, IDC, Network, Data, SES, Compute, API) must be deployed in the same home region.
--- #### 2. Select Managed Regions During installation, you specify which AWS Regions Sandbox Studio will **manage**. This has two main effects: ##### a. Service Control Policies (SCPs) - SCPs are applied at the **Organisational Unit (OU)** level. - They restrict users to the Regions you whitelist. - Users cannot deploy resources into Regions outside of this list. - Some AWS services (e.g. **IAM**, **CloudFront**) are considered *global services* and are not restricted by SCPs. ##### b. Account Clean-Up - When a sandbox account expires, a clean-up job is triggered. - This job scans only the whitelisted Regions. - More Regions = longer scan and clean-up time. - Limiting Regions speeds up recycling while maintaining governance. --- #### Best Practices - **Keep your managed Regions list small** – choose only the Regions your teams genuinely need. - **Consider compliance requirements** – some organisations must restrict usage to specific Regions (e.g. EU-only). - **Balance flexibility with efficiency** – more Regions provide flexibility but increase clean-up time. --- #### Available Regions Sandbox Studio on AWS is available in the following AWS Regions. Learn more about enabling regions.| Region Name | Region Code |
|---|---|
| US East (Ohio) | us-east-2 |
| US East (N. Virginia) | us-east-1 |
| US West (N. California) | us-west-1 |
| US West (Oregon) | us-west-2 |
| Africa (Cape Town) | af-south-1 |
| Asia Pacific (Hong Kong) | ap-east-1 |
| Asia Pacific (Tokyo) | ap-northeast-1 |
| Asia Pacific (Seoul) | ap-northeast-2 |
| Asia Pacific (Osaka) | ap-northeast-3 |
| Asia Pacific (Mumbai) | ap-south-1 |
| Asia Pacific (Hyderabad) | ap-south-2 |
| Asia Pacific (Singapore) | ap-southeast-1 |
| Asia Pacific (Sydney) | ap-southeast-2 |
| Asia Pacific (Jakarta) | ap-southeast-3 |
| Asia Pacific (Melbourne) | ap-southeast-4 |
| Canada (Central) | ca-central-1 |
| Europe (Frankfurt) | eu-central-1 |
| Europe (Zurich) | eu-central-2 |
| Europe (Stockholm) | eu-north-1 |
| Europe (Milan) | eu-south-1 |
| Europe (Spain) | eu-south-2 |
| Europe (Ireland) | eu-west-1 |
| Europe (London) | eu-west-2 |
| Europe (Paris) | eu-west-3 |
| Middle East (UAE) | me-central-1 |
| Middle East (Bahrain) | me-south-1 |
| South America (São Paulo) | sa-east-1 |
**Important:** Two of the seven CloudFormation stacks **must** be installed in the organisation management account. See CloudFormation templates section for more details.
--- #### Hub Account - A dedicated member account used to host most of the Sandbox Studio solution. - Acts as the **central hub** that manages sandbox accounts (the “spokes”). - Runs shared infrastructure, automation, and orchestration services. #### Benefits of using a hub account - Keeps the organisation management account clean and reserved for governance only. - Separates operational workloads from core AWS Organisation functions. - Provides a secure, centralised place for automation and account lifecycle management. --- #### Sandbox Accounts - These are the accounts actually handed out to users. - They are recycled and reused through an automated lifecycle. - Administrators create a pool of accounts, then onboard them into Sandbox Studio. - Once onboarded, the accounts are considered **managed** by Sandbox Studio. The system controls their lifecycle by: - Assigning them to OUs (e.g. “Active” or “Cleanup”). - Applying SCPs and guardrails. - Resetting and recycling them after a lease expires. **Note:** Sandbox accounts are intended for non-production use. If your users are looking for ways to provision production ready accounts, consider alternative solutions. --- #### Deployment Options You have two choices when deploying Sandbox Studio: 1. **Deploy everything into the organisation management account** - Simplifies the setup. - Not recommended by AWS, as it mixes governance functions with workloads. 2. **Split the deployment between management and hub accounts (recommended)** - Management account runs only the required governance components. - Hub account runs the main solution. - Provides better alignment with AWS best practices for multi-account security and governance. # Understand running costs Running Sandbox Studio does involve some ongoing AWS costs, but these are generally modest and reflect the standard services needed to keep things running securely and reliably. You can think of them as the “behind-the-scenes” charges for the hub account that coordinates all of your sandbox activity, plus whatever your team chooses to spend in the sandbox accounts themselves. There are three areas to be aware of: 1. **Hub account running costs** 2. **Sandbox account usage costs** 3. **Sandbox Studio licensing** --- #### 1. Hub Account Running Costs The **hub account** is where Sandbox Studio itself lives. It runs the background services that make the platform work—things like APIs, databases, and networking. Some typical monthly costs you might see: ##### a) Core compute services These are the serverless AWS services that power the application — **Lambda**, **API Gateway**, **Step Functions**, **CloudFront**, **Amazon S3**, **KMS,** and **SES**. - **Typical spend → USD $30 – $60 per month.** ##### b) Web Application Firewall (WAF) Helps protect your Sandbox Studio web interface from unwanted traffic. - **Typical spend → USD $10–$12 per month.** ##### c) AWS Cost Explorer API Used to fetch the latest spend data from your sandbox accounts (so you can see usage and enforce limits). Sandbox Studio checks once an hour, which works out to: - **USD $7.20 per month.** ##### d) Database (Amazon RDS) Stores all the information about accounts, budgets, and leases. The default setup uses a lightweight **t4g.micro PostgreSQL instance** to keep things cost-effective. - **Typical spend → USD $35–$45 per month.**You can upgrade the database for extra reliability (e.g. Multi-AZ, larger instance, automated backups), but that will naturally add to the monthly cost.
##### e) Networking (VPC, NAT Gateways, VPC Endpoints) Provides secure private networking for the database and functions. By default, this includes 2 NAT gateways and 4 VPC endpoints. - **Typical spend → about USD $125 per month.**If you want to reduce network costs, you can customise the networking — for example, by using a NAT instance, routing traffic through a shared networking account, or dropping VPC endpoints in favour of internet access.
See: [AWS services in this solution](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/aws-services-in-this-solution?utm_source=chatgpt.com) for the full list of services involved. --- #### 2. Sandbox Account Usage Costs Each sandbox account has its own AWS bill, which depends entirely on how people use it. - You control this by **setting budgets and thresholds** in account templates. - Sandbox Studio automatically enforces these budgets, but be aware that AWS Cost Explorer data can be delayed by up to 8 hours.This means actual spend might go slightly over the set budget before the system notices. To stay safe, we recommend setting your budget a little below your maximum acceptable spend.
In short, sandbox account costs are **your choice**—you decide the budgets, and Sandbox Studio helps keep them under control. --- #### 3. Sandbox Studio Licensing Licensing is straightforward: - **Free Tier**: Manage up to 3 AWS accounts at no cost. - **AWS Marketplace Upgrade**: If you want to manage more than 3 accounts, you can upgrade directly through AWS Marketplace. - **Education Discounts**: Heavily reduced rates are available for educational use — contact us for details. See: [Free Tier and Upgrading](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/free-tier-and-upgrading "Free Tier and Upgrading"). # Creating sandbox accounts Sandbox Studio works by managing a **pool of AWS accounts**. These accounts are pre-provisioned by your organisation and then handed out to users as sandboxes when requested. Sandbox Studio does not create new AWS accounts itself; instead, it manages the lifecycle of accounts that you provide. --- #### Account Pool and Lifecycle When a user requests a sandbox: 1. An AWS account is **allocated from the pool**. 2. Sandbox Studio applies the correct policies, budgets, and permissions. 3. The user is granted access to the account. 4. Sandbox Studio continuously monitors usage, including: - **Duration** (how long the account has been leased) - **Costs** (how much has been spent) When a lease expires or a budget limit is reached: - The account is **revoked from the user**. - All resources in the account are cleaned up using the configured **cleaner settings** (by default, AWS Nuke is used). - The account is returned to the pool for future use (**recycled**). --- #### Provisioning New Accounts Sandbox Studio does not provision AWS accounts directly. It is the responsibility of **administrators** to create new accounts before onboarding them into Sandbox Studio. You can use any existing organisational process to provision accounts, including: - **AWS Control Tower** - **Landing Zone Accelerator** - **Terraform or other automation tools** - **Manual account creation in AWS Organisations******Note:**** Sandbox Studio is agnostic of how you provision new AWS accounts. It does not dictate how you create accounts; it only requires that the accounts are onboarded to be managed by Sandbox Studio.
--- #### Onboarding Accounts Before Sandbox Studio can manage accounts, they must be **onboarded**. Onboarding ensures Sandbox Studio can take full lifecycle control of the account. Onboarding involves: 1. **Moving the account** into the designated **Sandbox OU** within AWS Organisations. - Sandbox Studio configures this OU during installation. - It applies guardrails and policies to all accounts inside it. 2. **Registering the account** inside the Sandbox Studio console. - Use the **AWS Accounts** page in the administrator view. - Select the account to onboard and confirm management by Sandbox Studio. Once onboarded, the account becomes fully managed. Sandbox Studio will: - Assign and track leases - Monitor budgets and thresholds - Clean and recycle the account at the end of each lease --- #### Capacity Planning As an **IT administrator**, you are responsible for ensuring there are enough accounts in the pool to meet demand. Consider: - **Number of active users** – how many developers, students, or testers will need accounts at once. - **Expected workloads** – training, hackathons, or workshops may need dozens of accounts at short notice. - **Recycling time** – accounts are not available again until after cleanup completes. Best practice is to provision slightly more accounts than your peak expected demand to avoid user delays. # External identity provider setup (Optional) Many organisations, particularly those running a multi-account AWS environment, use **AWS IAM Identity Center** with an external identity provider such as **Microsoft Active Directory, Microsoft Entra ID, or Okta**. This allows centralised identity management, where one platform governs access across multiple enterprise systems. If your organisation uses an external identity platform (for example, Entra), you will need to align its group setup with **Sandbox Studio’s IAM Identity Center groups**. --- #### Default Groups in IAM Identity Center When you install Sandbox Studio, the solution automatically provisions **three groups** in IAM Identity Center. These groups control access based on role type: ##### 1. Administrators Responsible for configuring and maintaining Sandbox Studio. Administrators are responsible for: - Setting global policies (e.g. maximum budgets and cleanup rules). - Provisioning new sandbox accounts and monitoring the sandbox account pool. - Overseeing security and governance settings. ##### 2. Managers Oversee day-to-day sandbox usage within a department or team. Managers are responsible for - Approving or rejecting sandbox requests within their team/department. - Creating and managing account templates including budgets, pre-provisioned resources and permissions. - Tracking spending and activity for supervised accounts. ##### 3. Sandbox Users Login to sandbox accounts and use them for development, testing, training, or experimentation. --- #### Group Naming The **default names** created by Sandbox Studio are: - `**Important:** You must create groups in your external identity platform (e.g. Entra, Okta) with the **exact same names** you configure in Sandbox Studio.
--- #### Linking External Identity Provider Groups 1. **Create Groups in Your Identity Platform** - Create groups in Entra/Okta/AD that match the IAM Identity Center group names. - Example: If your namespace is `Acme`, create `Acme_SsAdminsGroup`, `Acme_SsManagersGroup`, and `Acme_SsUsersGroup`. 2. **Assign Users to Groups in Your Identity Platform** - Add users to the relevant group based on their role. - Example: Developers should be added to the `SsUsersGroup`, team leads to `SsManagersGroup`, and central admins to `SsAdminsGroup`. 3. **Synchronisation with IAM Identity Center** - IAM Identity Center automatically syncs external groups. - Once a user is added to the external group, they will inherit the corresponding **Sandbox Studio role and permissions**. # Deploy the Solution To help streamline the setup of Sandbox Studio, we’ve provided an installation script that checks your environment for the necessary prerequisites and guides you through deploying the solution step by step. This is our recommended installation method, as it simplifies the process and reduces the chance of configuration issues. However, if you prefer to install the solution manually, please refer to the manual installation documentation or contact our support team for assistance. # Running the Installation Wizard #### Introduction This wizard has been created to facilitate the installation and deployment of the Sandbox Studio solution in your environment. It automates as many steps as possible and checks for prerequisites before the installation. #### Running the wizard 1. Login to your AWS **Organisation Management account**. 2. Open a new [CloudShell](https://aws.amazon.com/cloudshell/) console (a link to open CloudShell can be found in the bottom left corner of the AWS console). 3. Ensure you are in the region where you want to install Sandbox Studio. 4. Run the following command: ```bash bash <(curl -s https://dist.sandboxstudiosoftware.com/install.sh) ``` The following should display: [](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-08/P7gimage.png) The wizard will guide you through the installation process.Do not use your root account to run this script as it will fail and does not follow AWS best practices!
#### Prerequisites The wizard will automatically check for [prerequisites](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/installation-prerequisites "Installation Prerequisites"). If any of the prerequisites are not met, the wizard will display the URL to the right documentation to help you configure your environment. See [Installation Prerequisites](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/installation-prerequisites "Installation Prerequisites") page for more details. #### Inputs The installation wizard will ask you to set/confirm a set of input parameters during the installation process:| **Input Variable** | **Description** | **Input or Confirm** | **Comments** |
|---|---|---|---|
| Management Account ID | The AWS account ID of the management account (auto-detected by the script). | Confirm | During setup, you will be asked to confirm that you are indeed using the correct **organisation management account**. This ensures Sandbox Studio can set up organisation units and Service Control Policies. |
| Region | AWS region where Sandbox Studio will be deployed. | Confirm / Input | The script attempts to detect the region from AWS CLI config. If not found, you will be prompted to input one (default `us-east-1`). |
| Hub Account ID | The account ID that will host Sandbox Studio infrastructure (may be same as management account). | Input | Must be a 12-digit AWS account ID. If left empty, the management account ID will be used. See [Choosing the hub account](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/choosing-the-hub-account "Choosing the hub account"). |
| Parent OU ID | AWS Organisation Unit ID where Sandbox Studio OUs will be created. | Input | Defaults to the **Root OU ID**, but can be set to any valid parent OU so that Sandbox Studio's OU are created under that OU and inherit existing SCP's if required. |
| Namespace | Short prefix (3–8 alphanumeric characters) used to name Sandbox Studio resources. | Input | Example: `MySs`. Used as a unique identifier in stack names and IAM groups. |
| Managed Regions | List of AWS regions where Sandbox Studio should manage accounts/resources. | Input | Comma-separated values (e.g., `us-east-1,eu-west-1`). Defaults to the chosen region. See [Choosing your region(s)](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/choosing-your-regions "Choosing your region(s)"). |
| Admin Group Name | IAM Identity Center group name for Sandbox Studio administrators. | Input | Defaults to ` |
| Manager Group Name | IAM Identity Center group name for Sandbox Studio managers. | Input | Defaults to ` |
| User Group Name | IAM Identity Center group name for Sandbox Studio end users. | Input | Defaults to ` |
| Identity Center Instance | The IAM Identity Center instance ARN and Identity Store ID used for Sandbox Studio integration. | Confirm | The wizard will list the detected Identity Center instance and ask you to confirm it is the correct one. |
| Custom Application in Identity Center | The SAML 2.0 application used by Sandbox Studio for authentication. | Confirm / Input | You can either select an existing Identity Center application or the wizard will help you create a new one. |
| Allowed IP Ranges | CIDR ranges of IP addresses allowed to access the Sandbox Studio API. | Input | Defaults to all IPs (`0.0.0.0/1,128.0.0.0/1`). Restrict to corporate ranges if needed. |
| Custom Domain | (Optional) A DNS domain for Sandbox Studio instead of the CloudFront URL. | Input | If used, must configure CloudFront and ACM with this domain, and update Identity Center ACS URL accordingly. |
| Email From Address | Email address Sandbox Studio will use to send system notifications. | Input | Must be a verified identity in SES. Example: `sandboxstudio@example.com`. |
| Admin Users | Initial set of users (by username) to be added to the Admin group in Identity Center. | Input | You will be prompted to enter usernames to grant them full Sandbox Studio admin rights. |
Make sure your session timeout is at least 2 hours for during the installation of Sandbox Studio.
# Update Sandbox Studio ##### Updating Made Simple Updating Sandbox Studio is easier than ever. The update process uses the same [installation script ](https://docs.sandboxstudiosoftware.com/link/89#bkmrk-page-title)you used for the initial setup, making it straightforward and familiar. ##### How It Works When you run the installation script on a environment with an existing Sandbox Studio installation, the script automatically: 1. **Detects** the previous installation 2. **Gathers** all required configuration information from your current setup 3. **Presents** a summary of what will be updated 4. **Asks for confirmation** before proceeding ##### ##### Running the wizard 1. Login to your AWS **Organisation Management account**. 2. Open a new [CloudShell](https://aws.amazon.com/cloudshell/) console (a link to open CloudShell can be found in the bottom left corner of the AWS console). 3. Ensure you are in the region where you want to install Sandbox Studio. 4. Run the following command: ```bash bash <(curl -s https://dist.sandboxstudiosoftware.com/install.sh) ``` 1. The following should display: [](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/3CHimage.png) ##### Confirm existing values The script will display your current installation details and the updates available. Review this information carefully to ensure everything is correct. [](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/57Oimage.png) ##### Select Stacks to Update You'll be presented with a stack-by-stack selection interface. For each stack, you can choose whether to update it or skip it.**Best Practice:** It is highly recommended to update all stacks to ensure compatibility and access to the latest features and security patches.
[](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-10/h3timage.png) #####Note: During update process, the script does not modify your existing configuration (AppConfig), your Identity Center applications, or anything else than the CloudFormation stacks for Sandbox Studio. You can force a reinstall of the solution by adding the flag **--reinstall true** to the installation script
##### ##### Support If you encounter any issues during the update process, please contact your Sandbox Studio support team atBefore you embark on this manual AWS CloudFormation adventure, let us remind you that we've poured countless hours (and several pots of coffee) into creating a beautiful, automated deployment wizard that handles all the CloudFormation templates, Identity Center custom SAML application setup, and custom application configurations for you. It's tested, reliable, and significantly less likely to result in you going back and forth between the AWS console, CloudFormation stacks, and custom application logs at 2 AM trying to figure out why your deployment failed. If you're here because you enjoy the thrill of manually configuring SAML attributes, debugging CloudFormation syntax errors, and the unique satisfaction of troubleshooting custom application integrations that could have been automated entirely, then welcome—you're in the right place! **But seriously, unless you have a very specific reason for going manual, please consider using our automated script. Your future self will thank you, and so will our support team.**
**[Click here to see how to run the Installation Wizard instead](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/running-the-installation-wizard "Running the Installation Wizard")**
[](https://docs.sandboxstudiosoftware.com/uploads/images/gallery/2025-08/P7gimage.png) # Overview of what you'll do Installing Sandbox Studio manually follows three main stages. Each stage builds on the last, so it’s important to work through them in order. --- #### 1. Confirm Prerequisites Before beginning the installation, you should confirm that your organisation meets all prerequisites. Sandbox Studio relies on several AWS services and features being enabled in advance, including: - **AWS Organisations** with all features enabled - **Service Control Policies (SCPs)** for account guardrails - **AWS Resource Access Manager (RAM)** for resource sharing - **CloudFormation StackSets trusted access** - **AWS Cost Explorer** for spend tracking - **IAM Identity Center (IdC)** for centralised access control - **AWS Service Quotas** (e.g. Lambda concurrency, CodeBuild quotas) For a full checklist of requirements, please see the **[Installation Prerequisites](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/installation-prerequisites "Installation Prerequisites")**. You will also need to collect configuration values in advance, such as: - AWS Region - Organisation and OU IDs - IAM Identity Center group names - IP allow-list ranges --- #### 2. Deploy the CloudFormation Stacks Next, you will deploy the Sandbox Studio CloudFormation templates. Each stack must be launched in the correct AWS account and in a specific order. - **Organisation Management account** - [Account Pool stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-1-deploy-the-accountpool-stack "Step 1: Deploy the AccountPool stack") - [IDC stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-2-deploy-the-idc-stack "Step 2: Deploy the IDC stack") - **Hub account** - [Network stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-3-deploy-the-network-stack "Step 3: Deploy the Network stack") - [Data stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-4-deploy-the-data-stack "Step 4: Deploy the Data stack") - [SES stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-5-deploy-the-ses-stack "Step 5: Deploy the SES stack") - [Compute stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-5-deploy-the-compute-stack "Step 6: Deploy the Compute stack") - [API stack](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/step-6-deploy-the-api-stack "Step 7: Deploy the API stack") Each stack depends on outputs from earlier stacks. The next page, **[Deploying the Stacks](https://docs.sandboxstudiosoftware.com/books/installation-guide/page/aws-cloudformation-templates "AWS CloudFormation templates")** provides the exact order and details. --- #### 3. Complete Post-Deployment Steps Once the stacks are deployed successfully, you’ll need to carry out some manual configuration tasks. These ensure Sandbox Studio integrates with your organisation’s identity provider, DNS, and and your application settings are in sync with your environment. At a high level, you will: 1. **Set up a SAML 2.0 application** in IAM Identity Center, and assign Sandbox Studio groups to it. 2. **Configure DNS (optional)** for a custom domain, and update the application ACS URL. 3. **Update AWS AppConfig settings** (IdP URLs, audience, web app URL, access portal, email “from” address). 4. **Store the IdP certificate** in AWS Secrets Manager (the API stack provides the secret ARN). 5. **Add initial administrators** to the Sandbox Studio Admin group in IAM Identity Center. Each of these steps is explained in detail in the [**Post-Deployment Configuration**](https://docs.sandboxstudiosoftware.com/books/installation-guide/chapter/post-deployment-configuration-tasks "Post-deployment configuration tasks") section. # AWS CloudFormation templates Sandbox Studio is packaged as a set of AWS CloudFormation stacks. If you decide to manually install Sandbox Studio, you must deploy them **in the order shown below** and **into specific AWS accounts**. This page explains each stack, where to deploy it, and why the order matters. --- #### Stack Summary| **\#** | **Stack** | **What it does** | **Deploy to** | **Key AWS Services** | **Depends on** |
| 1 | Account Pool | Creates OUs to host sandbox accounts and applies SCPs to govern them. | Org Management Account | AWS Organisational Units (OU's), Service Control Policies (SCP's) | - |
| 2 | IDC | Sets up IAM Identity Center groups used by Sandbox Studio users. | Org Management Account | IAM Identity Center Groups | - |
| 3 | Network | Provisions a VPC with multiple subnets. Hosts the database in a private subnet and runs Lambda functions in private subnets with egress access. | Hub Account | Amazon VPC, VPC Endpoints | |
| 4 | Data | Deploys the application database that stores all Sandbox Studio data. Kept separate to simplify upgrades. | Hub Account | Amazon RDS | Network |
| 5 | SES | Creates email templates for alerts and notifications. | Hub Account | Amazon SES | - |
| 6 | Compute | Core back end components such as event driven Step Functions and CodeBuild tasks that are used to clean up and set up new accounts. | Hub Account | Event Bridge, Lambda, Step Functions, CodeBuild | Data, Network, SES |
| 7 | API | The front end compute stack including the API and user facing web application. | Hub Account | Lambda, API Gateway, S3, CloudFront | Compute |
Example: if `latest.json` says `{"version":"1.2.3"}`, the AccountPool template is `https://sandbox-studio-software-dist.s3.amazonaws.com/versions/1.2.3/SandboxStudio-AccountPool.template.json`.
# Step 1: Deploy the AccountPool stack Install the AccountPool CloudFormation stack in the organisation management account. #### How to Install this Stack 1. Login to the AWS Management Console using the **Organisation Management Account.** 2. Navigate to the **CloudFormation** page. 3. Click **Create Stack** and select **With new resources (standard)**. 4. For Template Source, select **Amazon S3 URL** and enter the CloudFormation Template URL shown below and click **Next**. 5. On the **Specify Stack** page, enter the stack name '**SandboxStudio-AccountPool**' and use the parameters shown below. --- #### CloudFormation Template URL ``` https://sandbox-studio-software-dist.s3.amazonaws.com/versions/| **Key** | **What to enter** |
|---|---|
| **Namespace** | 3–8 chars, e.g. `MySs` |
| **HubAccountId** | 12‑digit Hub account ID |
| **ParentOuId** | OU ID to nest Sandbox OUs under (e.g. your **root ID** `r-xxxx` or a specific OU ID e.g. `o-xxxx`) |
| **SsManagedRegions** | Comma separated list of regions managed by Sandbox Studio, e.g. `eu-west-2,us-east-1` |
| **Key** | **What to enter** |
|---|---|
| **Namespace** | Use the same namespace you used in step 1. |
| **HubAccountId** | 12‑digit Hub account ID |
| **IdentityStoreId** | From IAM Identity Center |
| **SsoInstanceArn** | From IAM Identity Center |
| **AdminGroupName** | Default: ` |
| **ManagerGroupName** | Default: ` |
| **UserGroupName** | Default: ` |
| **Key** | **What to enter** |
|---|---|
| **Namespace** | Use the same namespace you used in step 1. |
| **Key** | **What to enter** |
|---|---|
| **Namespace** | Use the same namespace you used in step 1. |
| **Key** | **What to enter** |
|---|---|
| **Namespace** | Use the same namespace you used in step 1. |
| **OrgMgtAccountId** | 12‑digit **management** account ID |
| **IdcAccountId** | 12‑digit **management** account ID |
| **Key** | **What to enter** |
|---|---|
| **Namespace** | Use the same namespace you used in step 1. |
| **OrgMgtAccountId** | 12‑digit **management** account ID |
| **IdcAccountId** | 12‑digit **management** account ID |
| **AllowListedIPRanges** | Comma separated CIDRs allowed to call the API (default “allow all”): `0.0.0.0/1,128.0.0.0/1` |
| **User attribute in the application** | **Maps to this value...** | **Format** |
| Subject | ${user:email} | emailAddress |
| ID | ${user:AD\_GUID} | unspecified |
| Setting | Description |
|---|---|
| **IdP Sign In URL** | The login URL from your Identity Center SAML application. |
| **IdP Sign Out URL** | The logout URL from your Identity Center SAML application. |
| **IDP Audience** | The SAML audience used when previously setting up the IAM Identity Center Application. |
| **Web App URL** | The URL for users to access Sandbox Studio (CloudFront URL or your custom DNS). |
| **AWS Access Portal URL** | The IAM Identity Center portal URL. |
| **Notification Email** | The “From” address Sandbox Studio uses to send emails (must be verified in SES). |
CloudFront requires an **SSL/TLS certificate** for custom domains.
--- #### 4. Provision an SSL/TLS certificate in ACM - Go to the **AWS Certificate Manager (ACM)** in the **us-east-1 region** (required for CloudFront). - Request a certificate for your custom domain (e.g. `sandbox.example.com`). - Validate the certificate using DNS (preferred) or email validation. - Once validated, return to your CloudFront distribution and attach this ACM certificate under **Custom SSL Certificate**. --- #### 5. Update your DNS provider - In your DNS provider (e.g. Route 53), create a **CNAME record**: - **Name**: your custom domain (e.g. `sandbox.example.com`) - **Value**: the CloudFront distribution URL (e.g. `d12345abcdef.cloudfront.net`) - Save the record.It may take up to 30 minutes (or more depending on TTL settings) for DNS changes to propagate.
--- #### 6. Update the ACS URL in Identity Center Since the login flow depends on the correct **Assertion Consumer Service (ACS) URL**, you must update the Identity Center SAML application configuration: - Open **IAM Identity Center** in the management account. - Find the Sandbox Studio custom application. - Update the ACS URL to: `https://The Free Tier provides full functionality. AWS infrastructure charges (for the services you run within those sandbox accounts) are billed directly to your own AWS account and remain your responsibility.
After the 90 day Free Trial expires, or for additional accounts beyond the initial three, an annual per-account license fee applies, which will be billed directly through your AWS account. #### Purchasing Additional Accounts If you wish to manage more than 3 sandbox accounts, you need to purchase additional capacity through **AWS Marketplace.** Your existing installation remains in place, no reinstallation is required. ##### Steps to Purchase 1. Go to the [**AWS Marketplace listing for Sandbox Studio**](https://aws.amazon.com/marketplace/pp/prodview-dntkbocnpzadm). 2. Select **Purchasing Options**. 3. Enter the number of **additional sandbox accounts** you want to manage. - For example: To manage 20 sandbox accounts, purchase 17 additional licences (as 3 are already included in the free tier). 4. Complete the procurement process through AWS Marketplace. 5. Once payment is confirmed, AWS Marketplace will provide a link to set up your account and generate a unique **API key**. ##### Applying Your API Key 1. Log in to the **Sandbox Studio UI**. 2. Go to **Settings → Subscription**. 3. Select **Update**. 4. Paste your API key into the field provided. 5. Click Apply. Your subscription will be validated automatically. Your Sandbox Studio instance will then reflect the new licence limits and duration. You can begin managing additional AWS sandbox accounts immediately. ##### Upgrading your licence • At any time, you can increase the number of sandbox accounts purchased in AWS Marketplace. • Reducing the number of accounts managed by the solution will only apply at the end of the yearly licence. • Your API key will automatically stay in sync with AWS Marketplace, so Sandbox Studio always reflects your current licence level. ##### Licence Term and Renewal • All paid Sandbox Studio licences are annual and billed through AWS Marketplace. • The 12 month licence term begins on the date of purchase. • You will receive notification from AWS Marketplace before renewal. • Licences renew automatically unless cancelled before the renewal date. • Reductions or cancellations take effect at the end of the current term. For support or questions about licence management, please contactIn some circumstances, some resources are not being deleted by CloudFormation. The uninstallation script will retry automatically. If after the retry the resources are still not being deleted, delete the resources manually before restarting the script.