Overview of what you'll do

Installing Sandbox Studio manually follows three main stages. Each stage builds on the last, so it’s important to work through them in order.

1. Confirm Prerequisites

Before beginning the installation, you should confirm that your organisation meets all prerequisites.

Sandbox Studio relies on several AWS services and features being enabled in advance, including:

AWS Organisations with all features enabled
Service Control Policies (SCPs) for account guardrails
AWS Resource Access Manager (RAM) for resource sharing
CloudFormation StackSets trusted access
AWS Cost Explorer for spend tracking
IAM Identity Center (IdC) for centralised access control
AWS Service Quotas (e.g. Lambda concurrency, CodeBuild quotas)

For a full checklist of requirements, please see the Installation Prerequisites.

You will also need to collect configuration values in advance, such as:

AWS Region
Organisation and OU IDs
IAM Identity Center group names
IP allow-list ranges

2. Deploy the CloudFormation Stacks

Next, you will deploy the Sandbox Studio CloudFormation templates. Each stack must be launched in the correct AWS account and in a specific order.

Organisation Management account
- Account Pool stack
- IDC stack
Hub account

Each stack depends on outputs from earlier stacks. The next page, Deploying the Stacks provides the exact order and details.

3. Complete Post-Deployment Steps

Once the stacks are deployed successfully, you’ll need to carry out some manual configuration tasks. These ensure Sandbox Studio integrates with your organisation’s identity provider, DNS, and and your application settings are in sync with your environment.

At a high level, you will:

Set up a SAML 2.0 application in IAM Identity Center, and assign Sandbox Studio groups to it.
Configure DNS (optional) for a custom domain, and update the application ACS URL.
Update AWS AppConfig settings (IdP URLs, audience, web app URL, access portal, email “from” address).
Store the IdP certificate in AWS Secrets Manager (the API stack provides the secret ARN).
Add initial administrators to the Sandbox Studio Admin group in IAM Identity Center.

Each of these steps is explained in detail in the Post-Deployment Configuration section.

Overview

Core Capabilities

Concepts and definitions

Solution Architecture

AWS services in this solution

Security & Compliance

Roles deployed by the solution

Secrets & Encryption keys

Data stored (and where)

Prerequisite Skills and Specialised Knowledge

Installation Prerequisites

Choosing your region(s)

Choosing the hub account

Understand running costs

Creating sandbox accounts

External identity provider setup (Optional)

Running the Installation Wizard

Update Sandbox Studio

Before you start...

Overview of what you'll do

AWS CloudFormation templates

Step 1: Deploy the AccountPool stack

Step 2: Deploy the IDC stack

Step 3: Deploy the Network stack

Step 4: Deploy the Data stack

Step 5: Deploy the SES stack

Step 6: Deploy the Compute stack

Step 7: Deploy the API stack

Create an IAM Identity Center application

Add initial users

Update AWS AppConfig

Update AWS Secrets Manager

Logging into the web UI

Setup a custom domain (Optional)

Free Tier and Upgrading

End User Licence Agreement (EULA)

Overview of what you'll do

1. Confirm Prerequisites

2. Deploy the CloudFormation Stacks

3. Complete Post-Deployment Steps