Overview of what you'll do

Installing Sandbox Studio manually follows three main stages. Each stage builds on the last, so it’s important to work through them in order.

1. Confirm Prerequisites

Before beginning the installation, you should confirm that your organisation meets all prerequisites.

Sandbox Studio relies on several AWS services and features being enabled in advance, including:

• AWS Organisations with all features enabled

• Service Control Policies (SCPs) for account guardrails

• AWS Resource Access Manager (RAM) for resource sharing

• CloudFormation StackSets trusted access

• AWS Cost Explorer for spend tracking

• IAM Identity Center (IdC) for centralised access control

• AWS Service Quotas (e.g. Lambda concurrency, CodeBuild quotas)

For a full checklist of requirements, please see the Installation Prerequisites.

You will also need to collect configuration values in advance, such as:

• AWS Region

• Organisation and OU IDs

• IAM Identity Center group names

• IP allow-list ranges

2. Deploy the CloudFormation Stacks

Next, you will deploy the Sandbox Studio CloudFormation templates. Each stack must be launched in the correct AWS account and in a specific order.

• Organisation Management account

  • Account Pool stack
  • IDC stack

• Hub account

  • Network stack
  • Data stack
  • SES stack
  • Compute stack
  • API stack

Each stack depends on outputs from earlier stacks. The next page, Deploying the Stacks provides the exact order and details.

3. Complete Post-Deployment Steps

Once the stacks are deployed successfully, you’ll need to carry out some manual configuration tasks. These ensure Sandbox Studio integrates with your organisation’s identity provider, DNS, and and your application settings are in sync with your environment.

At a high level, you will:

1. Set up a SAML 2.0 application in IAM Identity Center, and assign Sandbox Studio groups to it.

2. Configure DNS (optional) for a custom domain, and update the application ACS URL.

3. Update AWS AppConfig settings (IdP URLs, audience, web app URL, access portal, email “from” address).

4. Store the IdP certificate in AWS Secrets Manager (the API stack provides the secret ARN).

5. Add initial administrators to the Sandbox Studio Admin group in IAM Identity Center.

Each of these steps is explained in detail in the Post-Deployment Configuration section.