# Creating sandbox accounts

Sandbox Studio works by managing a **pool of AWS accounts**. These accounts are pre-provisioned by your organisation and then handed out to users as sandboxes when requested. Sandbox Studio does not create new AWS accounts itself; instead, it manages the lifecycle of accounts that you provide.

---

#### Account Pool and Lifecycle

When a user requests a sandbox:

1. An AWS account is **allocated from the pool**.
2. Sandbox Studio applies the correct policies, budgets, and permissions.
3. The user is granted access to the account.
4. Sandbox Studio continuously monitors usage, including:
    
    
    - **Duration** (how long the account has been leased)
    - **Costs** (how much has been spent)

When a lease expires or a budget limit is reached:

- The account is **revoked from the user**.
- All resources in the account are cleaned up using the configured **cleaner settings** (by default, AWS Nuke is used).
- The account is returned to the pool for future use (**recycled**).

---

#### Provisioning New Accounts

Sandbox Studio does not provision AWS accounts directly. It is the responsibility of **administrators** to create new accounts before onboarding them into Sandbox Studio.

You can use any existing organisational process to provision accounts, including:

- **AWS Control Tower**
- **Landing Zone Accelerator**
- **Terraform or other automation tools**
- **Manual account creation in AWS Organisations**

<p class="callout info">****Note:**** Sandbox Studio is agnostic of how you provision new AWS accounts. It does not dictate how you create accounts; it only requires that the accounts are onboarded to be managed by Sandbox Studio.</p>

---

#### Onboarding Accounts

Before Sandbox Studio can manage accounts, they must be **onboarded**. Onboarding ensures Sandbox Studio can take full lifecycle control of the account.

Onboarding involves:

1. **Moving the account** into the designated **Sandbox OU** within AWS Organisations.
    
    
    - Sandbox Studio configures this OU during installation.
    - It applies guardrails and policies to all accounts inside it.
2. **Registering the account** inside the Sandbox Studio console.
    
    
    - Use the **AWS Accounts** page in the administrator view.
    - Select the account to onboard and confirm management by Sandbox Studio.

Once onboarded, the account becomes fully managed. Sandbox Studio will:

- Assign and track leases
- Monitor budgets and thresholds
- Clean and recycle the account at the end of each lease

---

#### Capacity Planning

As an **IT administrator**, you are responsible for ensuring there are enough accounts in the pool to meet demand. Consider:

- **Number of active users** – how many developers, students, or testers will need accounts at once.
- **Expected workloads** – training, hackathons, or workshops may need dozens of accounts at short notice.
- **Recycling time** – accounts are not available again until after cleanup completes.

Best practice is to provision slightly more accounts than your peak expected demand to avoid user delays.