Skip to main content

What are leases?

Lease concept

A Lease is the core concept in Sandbox Studio. It represents a time-bound and/or budget-bound grant of access to a temporary AWS account for one or more users.

When a lease is created, Sandbox Studio provisions access to a short-lived AWS account. When the lease ends — whether through expiry, budget exhaustion, or manual revocation — that access is automatically removed.


Key Characteristics

 

  • Temporary: Every lease has a defined start time. It may also have an expiry date, but this is optional. A lease ends when its expiry date is reached, its budget is exhausted, or it is manually revoked — whichever comes first.
  • Scoped to an AWS account: Each lease maps to a single temporary AWS account.
  • Shareable: A lease can be assigned to a single user or shared across a group of users. All users on a shared lease access the same AWS account.
  • Budget-controlled: A lease can have a spending budget. If the account's costs hit the budget threshold, the lease is automatically terminated.
  • Automated: Lease creation, access provisioning, and cleanup are fully automated. No manual account handoff required.

 

Account Templates

An Account Template (also referred to as a Lease Template) is the blueprint that defines how a lease behaves and what the target AWS account looks like. Templates are configured ahead of time and referenced when creating leases.

An account template defines:

  • Lease constraints: Default and maximum duration, budget limits, and whether the lease can be shared.
  • Lease management: Who is allowed to manage (extend, revoke, ...), approve leases based on this template.
  • Account provisioning: The resources that should be deployed into the AWS account when the lease starts (e.g., VPCs, IAM roles, baseline infrastructure).
  • Access control: The IAM policies, permission boundaries, and roles that lease users receive within the account. This controls what users can and cannot do inside their sandbox.

Templates ensure consistency and governance across all leases. Administrators define the guardrails once, and every lease created from that template inherits them automatically.

 

Back to top