# AWS CloudFormation templates

Sandbox Studio is packaged as a set of AWS CloudFormation stacks. If you decide to manually install Sandbox Studio, you must deploy them **in the order shown below** and **into specific AWS accounts**. This page explains each stack, where to deploy it, and why the order matters.

---

#### Stack Summary

<table border="1" id="bkmrk-%23-stack-what-it-does" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 4.76758%;"></col><col style="width: 14.6603%;"></col><col style="width: 35.0417%;"></col><col style="width: 16.6914%;"></col><col style="width: 18.9463%;"></col><col style="width: 10.0119%;"></col></colgroup><thead><tr><td class="align-center">**\#**</td><td>**Stack**</td><td>**What it does**</td><td>**Deploy to**</td><td>**Key AWS Services**</td><td>**Depends on**</td></tr></thead><tbody><tr><td class="align-center">1</td><td>Account Pool</td><td>Creates OUs to host sandbox accounts and applies SCPs to govern them.</td><td>Org Management Account</td><td>AWS Organisational Units (OU's), Service Control Policies (SCP's)</td><td>-</td></tr><tr><td class="align-center">2</td><td>IDC</td><td>Sets up IAM Identity Center groups used by Sandbox Studio users.</td><td>Org Management Account</td><td>IAM Identity Center Groups</td><td>-</td></tr><tr><td class="align-center">3</td><td>Network</td><td>Provisions a VPC with multiple subnets. Hosts the database in a private subnet and runs Lambda functions in private subnets with egress access.</td><td>Hub Account</td><td>Amazon VPC, VPC Endpoints</td><td>  
</td></tr><tr><td class="align-center">4</td><td>Data</td><td>Deploys the application database that stores all Sandbox Studio data. Kept separate to simplify upgrades.</td><td>Hub Account</td><td>Amazon RDS</td><td>Network</td></tr><tr><td class="align-center">5</td><td>SES</td><td>Creates email templates for alerts and notifications.</td><td>Hub Account</td><td>Amazon SES</td><td>-</td></tr><tr><td class="align-center">6</td><td>Compute</td><td>Core back end components such as event driven Step Functions and CodeBuild tasks that are used to clean up and set up new accounts.</td><td>Hub Account</td><td>Event Bridge, Lambda, Step Functions, CodeBuild</td><td>Data, Network, SES</td></tr><tr><td class="align-center">7</td><td>API</td><td>The front end compute stack including the API and user facing web application.</td><td>Hub Account</td><td>Lambda, API Gateway, S3, CloudFront</td><td>Compute</td></tr></tbody></table>

---

#### Where to get the CloudFormation templates

**All templates are published to S3**. Choose the version you want and construct URLs as:

<div class="contain-inline-size rounded-2xl relative bg-token-sidebar-surface-primary" id="bkmrk-https%3A%2F%2Fsandbox-stud"><div class="overflow-y-auto p-4" dir="ltr">`https://sandbox-studio-software-dist.s3.amazonaws.com/versions/<<span class="hljs-keyword">VERSION</span>>/<STACK_NAME>.<span class="hljs-keyword">template</span>.json`</div></div>The stack names (filenames) are shown below:

- `SandboxStudio-AccountPool.template.json`
- `SandboxStudio-IDC.template.json`
- `SandboxStudio-Network.template.json`
- `SandboxStudio-Data.template.json`
- `SandboxStudio-SES.template.json`
- `SandboxStudio-Compute.template.json`
- `SandboxStudio-API.template.json`

**Find the latest version** (optional): fetch  
`https://dist.sandboxstudiosoftware.com/latest.json`  
and use its `"version"` value in place of `<VERSION>`.

<p class="callout info">Example: if `latest.json` says `{"version":"1.2.3"}`, the AccountPool template is  
`https://sandbox-studio-software-dist.s3.amazonaws.com/versions/1.2.3/SandboxStudio-AccountPool.template.json`.</p>