Roles deployed

~~Introduction~~

Sandbox Studio installs multiple roles in your environment, each serving different ~~purposes:~~purposes

Role name Account created in Purpose Can be assumed by

OrgMgtRole -

~~1. OrgMgtRole -~~ SandboxStudio-{Namespace}-OrgMgtRole

•Management Account For operations on the org management account
(Move •accounts ~~Assumed~~between byOUs, etc.) IntermediateRole in Hub Account

IntermediateRole - SandboxStudio-{Namespace}-IntermediateRole
Hub •Account ~~Cross-account~~For ~~intermediate~~functions, ~~role~~
step functions, •etc ~~Assumed~~to byassume ~~same~~to ~~account~~then ~~root~~be

3.able to assume the Org Management Role

Roles starting with SandboxStudio-Compute-* and SandboxStudio-API-* IdcRole - SandboxStudio-{Namespace}-IdcRole
Management •Account For ~~IDC~~operations ~~operations~~
in Identity •Center ~~Assumed~~IntermediateRole byin Hub Account

SandboxAccountRole - SandboxStudio-{Namespace}-SandboxAccountRole
Member •accounts For ~~operating~~Hub onAccounts ~~sandbox~~to control member accounts
IntermediateRole ~~• Assumed by~~in Hub Account

CodeBuildDeployRole

Member accounts To allow launch templates in member accounts Step function to create launch templates LaunchTemplateExternalAccessRole
Hub •Account Allows access to S3 buckets in external accounts
~~• Can be assumed by any AWS account (Principal: "*")~~

~~Role name~~ ~~Account created in~~ ~~Purpose~~ ~~Can be assumed by~~

CodeBuildDeployRole

More info on LaunchTemplateExternalAccessRole

This role is a bit particular in the sense that it is created with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringNotEquals": {
                    "aws:ResourceAccount": "<HUB ACCOUNT ID>"
                }
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

This gives the role permissions to list buckets and get objects in every buckets that are NOT the Hub Account (The account where the role is created).

The purpose of this is to allow you to grant this role access to your own bucket should you have resources in other accounts.

For example, let's say you want to launch a template in a Sandbox Account with resources coming from an external S3 bucket (resources, CloudFormation templates, ...). You can grant access to your external bucket to this role through Bucket policy.

The codebuild task running your launch template will assume this role which in turn can access your resources in a secure manner.