Skip to main content

Creating sandbox accounts

Sandbox Studio works by managing a pool of AWS accounts. These accounts are pre-provisioned by your organisation and then handed out to users as sandboxes when requested. Sandbox Studio does not create new AWS accounts itself; instead, it manages the lifecycle of accounts that you provide.

Account Pool and Lifecycle

When a user requests a sandbox:

  1. An AWS account is allocated from the pool.

  2. Sandbox Studio applies the correct policies, budgets, and permissions.

  3. The user is granted access to the account.

  4. Sandbox Studio continuously monitors usage, including:

    • Duration (how long the account has been leased)

    • Costs (how much has been spent)

When a lease expires or a budget limit is reached:

  • The account is revoked from the user.

  • All resources in the account are cleaned up using the configured cleaner settings (by default, AWS Nuke is used).

  • The account is returned to the pool for future use (recycled).

Provisioning New Accounts

Sandbox Studio does not provision AWS accounts directly. It is the responsibility of administrators to create new accounts before onboarding them into Sandbox Studio.

You can use any existing organisational process to provision accounts, including:

  • AWS Control Tower

  • Landing Zone Accelerator

  • Terraform or other automation tools

  • Manual account creation in AWS Organisations

Note: Sandbox Studio is agnostic of how you provision new AWS accounts. It does not dictate how you create accounts; it only requires that the accounts are onboarded to be managed by Sandbox Studio.

Onboarding Accounts

Before Sandbox Studio can manage accounts, they must be onboarded. Onboarding ensures Sandbox Studio can take full lifecycle control of the account.

Onboarding involves:

  1. Moving the account into the designated Sandbox OU within AWS Organisations.

    • Sandbox Studio configures this OU during installation.

    • It applies guardrails and policies to all accounts inside it.

  2. Registering the account inside the Sandbox Studio console.

    • Use the AWS Accounts page in the administrator view.

    • Select the account to onboard and confirm management by Sandbox Studio.

Once onboarded, the account becomes fully managed. Sandbox Studio will:

  • Assign and track leases

  • Monitor budgets and thresholds

  • Clean and recycle the account at the end of each lease

Capacity Planning

As an IT administrator, you are responsible for ensuring there are enough accounts in the pool to meet demand. Consider:

  • Number of active users – how many developers, students, or testers will need accounts at once.

  • Expected workloads – training, hackathons, or workshops may need dozens of accounts at short notice.

  • Recycling time – accounts are not available again until after cleanup completes.

Best practice is to provision slightly more accounts than your peak expected demand to avoid user delays.

No comments to display

Back to top