Manager Guide

• Home Page
• Leases
• What are leases?
• Listing leases
• Filtering leases
• Lease details
• Approving & rejecting leases
• Locking & unlocking an account
• Extend budget or duration
• Events
• What are events?
• Event creation - Overview
• Event creation - Basic details
• Event creation - Account template
• Event creation - Schedule
• Event creation - Participants
• Event creation - Managers
• Event creation - Review
• Start events and provision accounts
• Terminate events
• Account Templates
• What are account templates?
• Account template creation - Overview
• Account template creation - Basic Details
• Account template creation - Budget
• Account template creation - Duration
• Account template creation - Permissions
• Account template creation - Roles & Access
• Account template creation - Launch Settings
• Account template creation - Review
• Update Account templates
• Duplicate Account Templates
• Reporting
• Reporting
• Reference : Lease States

Home Page

After logging into the Sandbox Studio UI, as a Manager, you will land on your Manager's Home page.

As a Sandbox Studio Manager, you have the dual capability of overseeing the environment for your end users and also requesting and accessing AWS Accounts yourself, just as your end users do. 

Therefore the Manager's homepage is divided into two sections:

• One providing insights of your personal My AWS accounts (1), and another.
  • For more details about this section, refer to User Guide Home Page
• Offering a Management Overview (2) summarising the usage status of all the leases you manage.

As the functionality of accessing your own accounts is identical to how end Users would experience it, if you want to know more about how to access and manage your own AWS Accounts, see the User Guide.  The rest of this managers guide, will focus on features specific to Managers.

Management Overview:

The Management Overview section is divided in 3 sections:

1. Leases pending for your approval:
   • This display all the access to AWS accounts that you need to approve. You can approve leases for account templates you own or that you have been set as Approver. 
2. Currently active leases
   • Gives an overview of all active leases for account template you own or you administer
3. Top Account templates: 
   • A break down of the top account templates and, for each of them, the status of the leases. Using this graph, you can identify the most popular account templates.

Management Menu:

1. Approvals: Access the list of leases you need to approve. A badge is displayed with the number of leases that are waiting for approval.
2. Leases: See the full list of leases you can administer. You can administer the leases that use Account templates you own or that you have been marked as manager for.
   
3. Events: Create and manage events. More details here: What are events?
4. Account Templates: Create and manage Account Templates. More details here: Account template overview
5. Reporting: Access reporting dashboard on utilisation of Sandbox Studio

Leases

What are leases?

A Lease is the core concept in Sandbox Studio. It represents a time-bound and/or budget-bound grant of access to a temporary AWS account for one or more users.

When a lease is created, Sandbox Studio provisions access to a short-lived AWS account. When the lease ends — whether through expiry, budget exhaustion, or manual revocation — that access is automatically removed.

Key Characteristics

• Temporary: Every lease has a defined start time. It may also have an expiry date, but this is optional. A lease ends when its expiry date is reached, its budget is exhausted, or it is manually revoked — whichever comes first.
• Scoped to an AWS account: Each lease maps to a single temporary AWS account.
• Shareable: A lease can be assigned to a single user or shared across a group of users. All users on a shared lease access the same AWS account.
• Budget-controlled: A lease can have a spending budget. If the account's costs hit the budget threshold, the lease is automatically terminated.
• Automated: Lease creation, access provisioning, and cleanup are fully automated. No manual account handoff required.

Listing leases

As a Manager, you can see and manage leases. To have management access to leases, you need to:

• Have Manager access in Sandbox Studio
• Be granted management permissions on the account template that the leases use

Note: Administrators have full permissions and can see all leases.

To access leases, click on the "Leases" link in the left menu:

This displays the list of leases that are currently being used (Status Active, Locked, or Pending Approval):

Filtering leases

Filter by lease status

From the leases page, you can select the status of the leases you want to display. Example, only showing "Pending Approval" leases:

Filter by other fields

You can also filter by all the fields displayed in the table. This allows, for example, to filter on a particular event, budget, or account template. To access this filter, click on the filter icon at the top of the table:

The list of filters will appear.

For example, filter leases having their current cost between $10 and $50:

For fields with finite values (i.e. "Account template"), a searchable dropdown will be displayed:

If you close the Filter menu, but still have some filters applied, an icon will be displayed on the columns being filtered:

Lease details

This page describes the different sections of the lease details page:

Account Summary

Account summary contains the basic information about the lease and its associated account:

1. The Status of the lease. See lease status here
2. Lease ID. This is the unique identifier of the lease. 
3. AWS Account ID: When a lease is active, an AWS account is associated to it. This is the AWS account ID for the current lease.
4. Account template used for this lease.
5. User who has requested the lease. The lease owner may be different than the requester as managers and administrators can request leases on behalf of other users.
6. Approved by: Shows the user who has approved (or rejected the lease). For account templates that do not require approval, the lease it auto approved.
7. Login to the AWS account using AWS Identity Center.

Note: When a manager or administrator requests an account for an account template he/she can approve, the lease will be automatically approved.

Account Timeline

The timeline shows you the different stages an account (lease) can go through. It also shows you what current state the account is in.

Team members

This sections shows the users who can access this account. If the account template allows team sharing, then the owner (or a manager/admin) can share the account with other users. 

The "Status" columns indicates if the share is active (The other user can see and access the lease) or if the account is being shared (Status = "Sharing...").

By clicking on "Update", managers and administrators can share or un-share the account with other users. Refer to How to share an account for more details.

Budget & Duration

Account limits versus Account templates limits:

It is important to understand how duration and budget work:

1. The initial budget/duration of an account (or lease) is set on account creation, based on the account template used.
   • i.e: If the account template has a budget of $50, then the account created will have a default budget of $50.
   • The expiration date is calculated on account creation/start. This is particularly important for accounts related to events: The duration countdown will only start when the event (and therefore the lease) actually start, not when it's created.
2. During the account lifetime, managers and administrators can update the budget/expiration, independently from the account template. They can, for instance, extend the budget or prolongate the lifetime for a particular account without having to change the account template.

Budget

The budget card shows the maximum budget for the account and the current spend.

In this example, the maximum budget for this account is $50 and so far, $4.26 have been spent. Managers and Administrators can extend (or reduce) the budget by clicking on the "Update" button.

Duration

The duration card shows when this account will expire.

The expiration date is calculated on account creation/start. This is particularly important for accounts related to events: The duration countdown will only start when the event (and therefore the lease) actually start, not when it's created.

In this example, the account has been running for 8 days and will expire in 20 days and 6 hours. Managers and Administrators can extend (or reduce) the lifespan of the account by clicking on the "Update" button.

Approving & rejecting leases

Accessing approvals

When setting up the Account Templates, the Manager or Admins can set an account to require approval, before it is issued to a user.  When a user requests such an account, Managers or Admins need to approve the request for the user to be granted access to the  lease.

• Managers or Admins will be alerted to the fact that an Account Request needs approval on their email and in the Sandbox Studio UI on the left menu with a notifications on Approvals (1).  From the left, select Approvals (1) to view your approval requests.

• This opens the Approvals page:

1. 1. By default, this page only shows the pending approvals, but you can change the filter to display All, Pending, Approved, Denied or Withdrawn requests.
   2. Click on the user's name to display more details about the request
   3. Or you can directly Approve or Reject the request from this page.

Request details

If you want to access more details about the request or you need to update some parameters of the request, you can open it by clicking on the username of the requestor (Step 2 in the previous screenshot). The following page is then displayed:

From there, you can:

1. Approve the request
2. Deny the request
3. See the current status of the request
4. See requestor's comments
5. Update budget for this lease. (This overrides the account template default details)
6. Update duration of this lease.(This overrides the account template default details)

Once approved, the lease will go through the setup process, which could take a few minutes depending on the resources being created in the account. Once finished, the account will be marked as "Active" (1) and will be available to the requestor.

Bulk Approval

When managing multiple leases at once, we recommend using the Events features, but in certain scenarios, you may need to bulk approve/denied leases. This is possible by going to the Approval page, select the requests to Approve/Deny, click on the Actions buttons and Approve/Reject the requests:

Locking & unlocking an account

Managers and Administrators can lock (and unlock) accounts. Accounts can be locked if they are over budget or if they have expired. 

Once locked, the account is not accessible anymore to the end user, but remains active and accessible to the managers and administrators.

Accounts that are locked keep on incurring cost as existing resources are not stopped.

Lock an account

From the lease details page, click on the Actions button and select "Lock account":

Confirm the action by clicking on "Lock":

The account status changes to "Account locked" and name of the user who locked the account is shown:

The account owner will be notified by e-mail that the account has been locked.

Unlock an account

From the lease details page, click on the Actions button and select "Unlock account":

Confirm the action by clicking on "Unlock":

The account status return to its previous state:

The account owner will be notified by e-mail that the account has been unlocked.

Lock/Unlock accounts in bulk:

From the leases page, select the accounts you want to lock/unlock and click on the "Actions" button and select "Lock account"/"Unlock accounts":

Extend budget or duration

Account limits versus Account templates limits:

It is important to understand how duration and budget work:

1. The initial budget/duration of an account (or lease) is set on account creation, based on the account template used.
   • i.e: If the account template has a budget of $50, then the account created will have a default budget of $50.
   • The expiration date is calculated on account creation/start. This is particularly important for accounts related to events: The duration countdown will only start when the event (and therefore the lease) actually start, not when it's created.
2. During the account lifetime, managers and administrators can update the budget/expiration, independently from the account template. They can, for instance, extend the budget or prolongate the lifetime for a particular account without having to change the account template.

Extend account limits

The procedure being identical for budget or duration, this document will only cover the "Budget" update. The same exact steps are to be performed for the duration update.

Open the lease you want to extend the budget of by clicking on "Leases" on the left menu and open up the lease:

Scroll down to the "Budget" section and click on "Update":

Update the maximum budget, actions and threshold for this lease and click on "Update lease" to finish:

The lease budget gets immediately updated:

Events

What are events?

Events allow you to assign and manage AWS accounts for a group of users in one place.

This is useful when working with a defined set of participants, for example:

• Running a workshop or hackathon
• Delivering a university subject or training course
• Onboarding a group of new team members

Key Characteristics

• Bulk management — Create, assign, and manage multiple leases from a single view rather than handling them individually.
• Pre-creation — Events can be created and fully provisioned before they start. Accounts and resources are prepared ahead of time so users can start immediately when the event is started.
• Unassigned leases — Leases within an event can be created without being assigned to a specific user. This lets you prepare a pool of ready-to-go accounts and assign them to participants later.
• Limit overrides — Event-level limits (duration, budget) override the account template defaults. If an account template has a maximum duration of 10 days but the event is configured for 20 days, the event's 20-day limit applies to all leases within it.

Event Lifecycle

1. Created — The event is defined with its limits, account template, and number of leases. Accounts and resources can be pre-provisioned at this stage. No costs are incurred yet.
2. Started — The event is activated. Leases become active and participants can access their assigned accounts.
3. Ended — The event concludes. All leases are terminated, access is revoked, and accounts are reclaimed.

Events vs Individual Leases

Individual leases are suited for on-demand, self-service access — a single user or small team needing a sandbox. Events are designed for coordinated, group-based scenarios where an organiser needs to prepare and manage many accounts at once with consistent settings.

Event creation - Overview

To create a new account template:

1. Click on "Events" on the left menu
2. Click on "Create Event"

Creating an event is a 6-step process listed as follows:

1. Basic details
2. Account template
3. Schedule
4. Participants
5. Managers
6. Review

Event creation - Basic details

First step of the event creation wizard is to set the basic information to describe your event:

1. Name of the event: Remember, this is will be used by your users to find your event, so make it unique and easy to find!
2. Description of the event
3. Icon: Choose the icon to identify your event
4. Colour: Choose the colour of your event

Having completed all the fields on the Basic Details page as needed, click on Next to move to Event creation - Account template

Event creation - Account template

In this step, you define the account template you want to use in your event. The account template will define settings like:

1. Permissions
2. Resources created in the event
3. Budget
4. ...

Note: Account templates also define lease duration, but within an event, this is overridden by the event's own duration setting.

Having selected the account template, click on Next to move to Event creation - Schedule

Event creation - Schedule

This steps define the schedule of an event.

Schedule are defined as follows:

Start Date

• Start now

Selecting this option will automatically provision the accounts (aka, create leases) and start the event.

• • Pros: Easy, the event starts immediately and you can start right away!
  • Cons:  If your account template provisions resources in the account, you will need to wait for the accounts to be ready before accessing them. This provisioning time counts towards your event duration

• Start on a specific date

You can set the event to start on a specific date (and time) you define. This is particularly useful is you want to schedule an event to start automatically in the future.

• • Pros: "Set and forget", the event will automatically start at the date/time of your choice. This option also allows you to pre-provision the accounts before the event starts, so you don't have to wait for the resources to be created in the accounts.
  • Cons:  Not much! But as per the "Start now" option, If your account template provisions resources in the account, you will need to either pre-provision the account manually before the start of the event or wait for the accounts to be ready before accessing them.

• Start later

You can chose not to start the event automatically. In this instance, you will have to start the event manually.

• Pros: No rush! You can take your time to create and configure the event. You can also update this value later if you finally decide to start the event automatically.
• Cons:  The event won't starts automatically, so you will need to start it manually.

End Date

Note: Account templates also define lease duration, but within an event, this is overridden by the event's own duration setting.

• End on a specific date

Automatically ends the event on a specific date/time. When this date/time comes, the event will be terminated and leases will be terminated.

• End after a specific amount of time

Automatically ends the event after a specific amount of time: The count down starts when the event is started. Use this option if you want to terminate the event after some time. For instance: "Terminate the event after 7 days"

• No end date

With this option, the event will not be terminated automatically. So you will have to terminate the event manually.

Having set the schedule, click on Next to move to Event creation - Participants

Event creation - Participants

This step allows you to define how many accounts (leases) you want to have as part of your event.

For instance, for a hackathon with 5 participants, you would define 5 accounts:

1. Set the number of accounts you want to create

Note: You can reserve accounts for your event by adding an account and not assigning it to any user

2. For big events, you can import a CSV file with the list of events
3. Assign users to the event you will create

How to assign user to an account

Click on the "Assign user" button and select the user you want to assign to an account. Once assigned, the status becomes "Assigned"

If you let the account "Unassigned", a lease will be created but not assigned to any user. This is a way to "reserve" an account and prepare it before later assigning it to users.

How to import a CSV

Click on the Import button:

You can then Drag and Drop your CSV file:

Format of the CSV file is as follows:

email1@example.com
email2@example.com
email3@example.com

Only valid e-mail addresses will be processed. So if you add a header to CSV file, it will be ignored.

Sandbox Studio will then check the CSV file:

After a few seconds (depending on how many users are in the CSV file):

Only the found users will be added to the event:

Once account numbers are set and users assign, click Next to Event creation - Managers

Event creation - Managers

This step allows you to define who can manage the event:

• Update event
• Add or remove accounts and assign users

1. Select the users who can manage your event
2. Select the groups of users who can manage your event

Groups are defined in IAM Identity Center. How to add groups to IAM Identity Center

Once managers are defined, click Next to Event creation - Review

Event creation - Review

Last step of the event creation wizard, the review screen allows to check everything is correct:

Click Submit to create your event.

You are automatically redirected to your event page:

Start events and provision accounts

Depending on your event configuration, your event can:

• Start immediately
  • The event (and provisioning of the accounts) start when the event is created
• Start on a specific date
  • The event (and provisioning of the accounts) start on a schedule
  • Account can be provisioned manually before the event
• Be started manually at a later date
  • The event has to be started manually. 
  • Account can be provisioned manually before the event or will be automatically provisioned when the event is started.

Event lifecycle

High level lifecycle of an event is as follows:

The "Provisioning" step (aka "Preparing account") is what can take the longest as this is during this steps the accounts are configured and resources (if any) are created.

For account template creating resources in the accounts, we recommend pre-provisioning the account before the event starts as otherwise, the provisioning step will count towards the event duration.

A concrete example:

Let's assume you event must run for 2 days and you have 50 participants. Each account preparation takes 1 hour. 

By default, AWS Codebuild (used to create resources in the accounts) is limited to 15 concurrent executions. So you could only parallelise 15 accounts provisioning.

In total:

15 accounts x 1h + 15 accounts x 1h + 15 accounts x 1h + 5 accounts x 1h = 4h to provision all accounts.

So your users will have to wait for all the accounts to be created before accessing the event!

Starting an event

Open the event and click on the "Start event":

If the accounts have not been provisioned manually, they will be automatically be when the event starts.

Pre-provision accounts

If you want to prepare the accounts before the event starts, click on the small arrow in the "Start event" button and select "Prepare accounts only":

This will trigger the accounts preparation:

You can follow progress by going to the "Accounts" tab:

After a few minutes (depending on your launch template), the event is ready to start:

You can now start the event!

Terminate events

Depending on your event configuration, your event can be stopped :

• At a specific date
  
• After a certain duration (from the event start date)
• Manually, by an event manager

Event lifecycle

High level lifecycle of an event is as follows:

Stoping an event manually

Open the event and click on the "Terminate event":

All leases will be terminated, users will be notified, and accounts are going to cleanup before returning to accounts pool.

Account Templates

What are account templates?

An Account Template (also referred to as a Lease Template) is the blueprint that defines how a lease behaves and what the target AWS account looks like. Templates are configured ahead of time and referenced when creating leases.

An account template defines:

• Lease constraints: Default and maximum duration, budget limits, and whether the lease can be shared.
• Lease management: Who is allowed to manage (extend, revoke, ...), approve leases based on this template.
• Account provisioning: The resources that should be deployed into the AWS account when the lease starts (e.g., VPCs, IAM roles, baseline infrastructure).
• Access control: The IAM policies, permission boundaries, and roles that lease users receive within the account. This controls what users can and cannot do inside their sandbox.

Templates ensure consistency and governance across all leases. Administrators define the guardrails once, and every lease created from that template inherits them automatically.

Account template creation - Overview

To create a new account template:

1. Click on "Account Templates" on the left menu
2. Click on "Add Account Template"

Creating an account template is a 7-step process that can be done from scratch or use an existing template from Sandbox Studio.

In this documentation, we will create an account template from scratch. Using a prebuilt template is identical but has pre-defined values.

Each step of the process is explained as follows:

1. Basic details
2. Budget
3. Lease Duration
4. Account Permissions
5. Roles & Access
6. Launch Settings
7. Review

Account template creation - Basic Details

On the Add a new Account Template page, complete the required fields in the Basic Details section.

Tagging accounts with parameters like "Department Name = Engineering" or "Cost Centre = M004" would enable users to gain granular insights into their AWS Sandbox Studio usage. This would allow for precise cost allocation and chargebacks to specific teams or projects, providing a clear understanding of spending patterns and resource consumption. It also facilitates better resource governance and optimisation by identifying areas of high expenditure or underutilised resources, leading to improved cost efficiency.

In the Tags section, users can either select from the options in the drop down, or create their own custom Tag names, by just typing into the Name (1) field. One you have selected or entered a name, you can type in or select a corresponding value (2) e.g. Department Name = Engineering

Sandbox Studio does not include any predefined tags. The dropdown list is populated with tags that already exist in your environment.

You can addd as many tags as needed to help you filter accounts as required. In the example below you can see 3 different tags

Having completed all the fields on the Basic Details page as needed, click on Next to move to Account template creation - Budget

Account template creation - Budget

This step defines the budget limits for leases using this template.

1. Define if you want a maximum budget to be enforced for the leases. By default, this flag is optional (You can define templates with no budget limits), but platform administrators can enforce this flag to be set to "Yes". (e.g: Enforce maximum budget)
2. Define the maximum budget amount. This value is in USD.
3. Define the action when the budget is reached. You can either:
   • Wipe the account: This delete all resources and remove access to the users.
     • Pros: Stop incurring cost
     • Cons: Some data may be lost as the resources will be deleted.
   • Lock account: Remove access to end users but keep the resources and data
     1. Pros: Data and resources remain. Administrators and managers can access the account.
     2. Cons: Resources still incur cost in the AWS account.
4. Define the actions to take based on the thresholds you define.

Note: The maximum budget you can set is limited by the maximum budget set in the Global configuration set by the administrator of your Sandbox Studio environment. 

Actions:

Sandbox Studio can perform automatic actions if some thresholds are met. You can define those thresholds and actions in the "Actions" section:

Having completed all the fields on the Budget page as needed, click on Next to Account template creation - Duration

Account template creation - Duration

This step defines the maximum duration for leases using this template.

1. Define if you want a maximum duration to be enforced for the leases.
2. If you select Set an expiry date, enter a value in Maximum Lease Duration (in Months, Days or Hours). The duration configuration determines how long the account is available once leased to a user.  
   
3. Define the action when the lease expires. You can either:
   • Wipe the account: This delete all resources and remove access to the users.
     • Pros: Stop incurring cost
     • Cons: Some data may be lost as the resources will be deleted.
   • Lock account: Remove access to end users but keep the resources and data
     1. Pros: Data and resources remain. Administrators and managers can access the account.
     2. Cons: Resources still incur cost in the AWS account.
4. Define the actions to take based on the thresholds you define.

The countdown for a lease starts when the lease is created.

Actions:

Sandbox Studio can perform automatic actions if some thresholds are met. You can define those thresholds and actions in the "Actions" section:

Important: The threshold’s actions are effectively a count down - and only trigger when a certain amount of time is left. e.g. 5 Days left, or 24 Hours to go or in the case of "Wipe" when the account has expired.

Having completed all the fields on the Duration page as needed, click on Next to Account template creation - Permissions

Account template creation - Permissions

Using Permissions, you can configure what the end users can and cannot do in their accounts. 

Sandbox Studio uses IAM Identity Center Permissions Sets for permissions. You can see more details explaining each of the sections of this page at https://docs.aws.amazon.com/singlesignon/latest/userguide/permissionsetcustom.html

Default permissions

By default, "Administrator Access" is provided to end users. 

Service Control Policies (SCP) are still applied on the accounts and even with Administrator access, some resources and actions may be blocked by your Administrators.

If the default configuration suits your needs, proceed to the next step Account template creation - Roles & Access

Customise permissions

For more granular permissions configuration, you can customise the permissions you provide to the end users by selecting No, I want to customise permissions:

The following sections can be configured:

1. AWS Managed Policies

By default, the Administrator Access policy is applied but you can select one or more policies from the list of AWS Managed policies. More details here about AWS Managed policies: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html

2. Customer Managed Policies

If you have pre-defined policies you manage, you can use them here. More details about Customer managed policies

3. Inline policy

Finally, you can use inline policy (define the access directly in the section). More details about inline policies.

Example:

Permission Boundary:

Finally, and following the same principles as previous options, you have the option to include Permission boundaries. More details about Permission boundaries.

Note: Permission boundaries can only be "AWS managed policy" OR "Customer managed policy" (Not both). In addition, you can only select ONE policy to apply.

Having completed all the fields on the Permissions page as needed, click on Next to move to Account template creation - Roles & Access

Example:

This example restricts users to only basic EC2 actions:

Account template creation - Roles & Access

In this section, you define if leases can be shared, if they require approval, and who can manage and approves them.

Team sharing (1)

In the Team Sharing section of the page. A simple toggle that once enabled will require the Manager or Administrator to provide the number of Users it can be shared with. A User will provide the additional Users that a lease can be shared with a the request.

• • Toggle the Enable team access to being configuring the number of Users that a lease can be shared with.
  • Set the Maximum team size to the number of Users to permit per lease.

Team size is: Owner + Number of additional users

Approvals (2)

This section lets you define whether an approval is required to create new leases using this template.

We recommend requiring approval for leases with extended permissions or that will incur high costs.

• Set "Approval required" to Yes if you want new lease to be approved by managers before being created.

If no approval is required, new leases are created immediately.

Users & Groups (3 & 4)

These sections are set to define who can Approve or Managed leases created for this template:

• Approver: Users or groups of users who receive approval requests on lease creation and who can approve leases created with this template
• Manager: Users or groups of users who can manage leases created with this template, that is:
  • View the leases
  • Extend budget and duration
  • Terminate leases
  • Login to the AWS account

Administrators can both approve and manage leases, even if not in this list of users/groups

Groups are defined in IAM Identity Center. How to add groups to IAM Identity Center

Having completed all the fields on the Managers page as needed, click on Next to Account template creation - Launch Settings

Account template creation - Launch Settings

Using launch templates, managers can define what resources need to be set up on new accounts creation. For instance, create S3 buckets, deploy Cloud Formation templates, etc.

Sandbox Studio uses AWS Codebuild to set up resources.

Launch Settings (1)

Select "Run setup before account access" to enable launch templates. By ticking this item, you need to provide the script to create resources on account creation.

If no resource needs to be created on account creation, untick this box to provide an "empty" account to users.

Download files from S3 (2)

In some scenario, you may need to download files from S3 to create your resources. For example, download a Cloudformation template, download softwares, etc.

You need to provide an S3 path to a folder or a bucket (not to the object directly). 

Sandbox Studio will run a sync command to fetch the folders and objects from S3 into the /tmp folder of the Codebuild instance.

Sandbox Studio does not require your bucket to be public! Follow the next steps to learn how to configure S3 access

Sandbox Studio requires your bucket to be accessible to the LaunchTemplateExternalAccessRole created in your environment.

You can click on "Configure S3 access" to display the S3 bucket policy to apply on your S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSandboxStudioAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<hub-account-number>:role/LaunchTemplateExternalAccessRole"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Pre-Launch script (3)

Pre-Launch script allows you to run a script before your actual launch script to, for example, install tools, packages, update the environment, etc. 

The environment used to create the resources is based on Amazon Linux 2023 (x86_64). (aws/codebuild/amazonlinux-x86_64-standard:5.0)

Launch script (4)

Launch script is your actual script to create resources in your account. 

The environment used to create the resources is based on Amazon Linux 2023 (x86_64). (aws/codebuild/amazonlinux-x86_64-standard:5.0)

Please refer to following section to return environment details to the Sandbox Studio interface.

Example of script to create a S3 bucket:

#!/bin/bash
BUCKET_NAME="sample-bucket-$(date +%s)" # Unique bucket name from current timestamp
REGION="us-east-1"

aws s3 mb --region $REGION s3://$BUCKET_NAME

How to set "Environment details" in Sandbox Studio?

Sandbox Studio allows you to display environment details from the launch template script. You can, for example, return URLs, passwords, environment variables, etc. 

One interesting use case is to provide access to a VSCode environment: You can create a VSCode environment to your users and return the URL to the user. They don't need to login to the account and can directly access their VSCode with the information provided by the install script.

To set the environment details, you can use the pre-defined set-sandbox-output command:

VSCODE_URL="https://example.com"
PASSWORD="SuperStrongPassword"

set-sandbox-output --name "VSCodeServerUrl" --value "$VSCODE_URL"
set-sandbox-output --name "Password" --value "$PASSWORD" --is-secret

The tool takes 2 parameters (name and value).

For secret strings (i.e.: Password, API keys, etc.), add the parameter is-secret

Secrets variables are saved in AWS Secrets Manager and only displayed when the user clicks on the Display icon.

Having completed all the fields on the Launch Settings page as needed, click on Next to Account template creation - Review

Account template creation - Review

Having completed all the steps, the final step is to Review the selected settings and one satisfied that everything is correct, click Submit to create a new lease template.

Users can then request a lease with this new lease template.

The new lease template becomes available immediately:

And end users can start using it:

Update Account templates

To update an account template, go to "Account Templates" and open the template you want to modify:

Then edit any of the fields you want to update:

Duplicate Account Templates

To duplicate an account template, go to "Account Templates" and open the template you want to duplicate:

Click on the "Actions" button and choose "Duplicate account template":

This will redirect you to the Account template creation page with information pre-filled:

Reporting

Reporting

As a Manager or Administrator, you can view the costs incurred by the leases. This allows you to keep track of the costs of your leased accounts.

• You can view all leases on the Manage Leases page. Each lease will display the amount spent on the lease so far under the Costs column.  By default, the Leases page will only display the Active and Locked leases. If you’d like to see the costs incurred by Terminated leases, you can use the Status filter.
• Detailed reporting (1) is available from the left hand menu.  You can filter by date, but also by Account Template, Event or Tags (2).  This enables reporting per department or cost code.

Note: Administrators with access to the organisation’s management account can access the AWS Cost Explorer console for full data on spending in their organisation. Cost Explorer refreshes your cost data at least once every 24 hours. For more information, refer to the Analysing your costs and usage with AWS Cost Explorer page.

Reference : Lease States

Leases states in Sandbox Studio.

This table explains the various states the leases can be in at any given time.