AWS Cloud Operations Blog
How Mendix optimizes sandbox governance, balancing control and productivity
In today’s cloud-driven landscape, development sandboxes have become enablers of innovation, offering safe environments for experimentation and testing. However, as organizations scale, these sandbox environments often grow increasingly complex and difficult to manage. Unchecked, this complexity can lead to escalating costs from abandoned resources, increased security risks, and diminished productivity—undermining the very benefits sandboxes are intended to provide.
This was the challenge faced by Mendix, an AWS partner, which provides a low-code application development platform to their users. By implementing a sandbox governance strategy across four key pillars, Mendix not only realized substantial cost savings, but also enhanced developer productivity and agility. Their journey from sandbox sprawl to operational excellence offers valuable insights for any organization navigating similar issues.
In this blog post, we will delve into the strategies and best practices that enabled Mendix to regain control over their sandbox environments. We will explore how governance can balance developer autonomy with operational discipline, ensuring resources are managed, costs are contained, and innovation continues to thrive.
Overview of solution
The four critical pillars that formed the foundation of Mendix’s sandbox governance are explained below
-
Automatic Sandbox Account Provisioning:
Through automated account provisioning, Mendix created standardized sandbox environments in minutes rather than days. The automated mechanism ensures that each sandbox account is created with pre-configured security guardrails, platform resources and IAM policies aligned with organizational standards.
By implementing automated account vending integrated with AWS Control Tower Account Factory for Terraform (AFT) and AWS Control Tower, Mendix reduced their sandbox account provisioning time from days to just 15 minutes, while ensuring consistent compliance and security controls across all environments.
Figure 1 Sandbox account provisioning Automation
Initial Request Processing:
-
-
- User fills the form and submits a ticket in the ticketing tool to request a sandbox account.
- Topdesk events and actions triggers a HTTP post requests to an Amazon API Gateway
- The API Gateway endpoint, with the help of a custom authorizer and an API Gateway resource policy checks the authenticity of the request. If the request is legitimate, the authorizer assigns privilege to invoke the API endpoint.
- The API endpoint triggers the provisioning AWS Lambda function with payloads containing ticket id, requester info and the details required by AFT to process account vending request.
- The provisioning Lambda function processes the event, validates the input provided, prepares the data in the acceptable format and pushes the code to Mendix’s Gitlab repository to create the account.
-
Account Creation Phase:
-
-
- Gitlab then triggers the AFT engine which processes the account request further.
- AFT creates the sandbox account with the help of AWS Control Tower Account Factory.
- Upon successful creation of the sandbox account, AWS Control Tower triggers lifecycle events which in turn triggers AFT account customizations.
-
Account Customization and Completion:
-
-
- Below actions are taken by AFT using customization framework:
- provisions access to the sandbox account using IAM Identity Center.
- Baselines the sandbox account with the required policies and resources using AFT account customization.
- AFT creates an AWS CodePipeline for applying customization, and this event is captured by an Amazon EventBridge rule which then triggers the post provisioning Lambda function.
- The post provisioning Lambda function fetches necessary metadata (ticket id, requester email) stored by AFT, resolves the ticket and notifies requester about the details of the Sandbox account and login instructions.
- Below actions are taken by AFT using customization framework:
-
Budget Monitoring:
Cost visibility and control are paramount in managing sandbox environments at scale. Implementing proactive budget monitoring helped Mendix maintain fiscal responsibility without stifling innovation. This pillar involves setting up automated cost thresholds, real-time spending alerts, and granular resource tracking at both the account and project level.
Mendix implemented dynamic budget controls that automatically notify the account owner when they reach soft limit (50%) set for their allocated budget, the sandbox account owner can then take necessary action to stay within the budget. If they breach the hard limit (close to 100%) of the set budget, the account is then isolated to stop users from creating additional resources.
Figure 2 Sandbox Account Budget Monitoring Solution
Technical workflow utilizes AWS services as mentioned below:
-
- AWS Budgets will monitor the Cost associated with the individual Sandbox account.
- If the set threshold of soft limit/Hard limit is breached, it will send the event to the Lambda function in the AFT management account via Amazon Simple Notification Service.
- The Lambda function will parse the event and perform following action:
- If the Actual usage amount exceeds the set soft limit, it sends a notification to the sandbox account owner.
- If the Actual usage amount reaches the set hard limit, it attaches a Service Control Policy (SCP) to the Sandbox account which denies users the ability to perform any API activities on the Account and sends a notification to the Sandbox account owner and the Mendix IT support team.
- The Sandbox account owners can then work with the IT support team to delete some resources to get the budget under the required threshold and enable the resumption of normal usage for their sandbox account.
Resource Recycling:
Automated resource recycling represents a critical pillar of sandbox governance. This mechanism allows Mendix to systematically identify and decommission unused resources on a scheduled basis, ensuring development assets don’t persist beyond their intended lifecycle. Their resource recycling system automatically decommissions resources every quarter, while preserving platform created resources. This approach led to a 60% reduction in infrastructure cost without disrupting developer workflows.
Figure-3 Resource Recycling
-
- As depicted in Figure-3, For each of the vended Sandbox accounts there is an EventBridge scheduler created in the AFT Management account. On every schedule (1st of every quarter), EventBridge Scheduler invokes the AWS Step Functions state machine with necessary inputs like Account Id and allowlisted regions the account is permitted to operate in.
- The Step Functions state machine will navigate to each region in the target account by assuming an IAM role and perform the following actions:
- A Lambda function checks if the account belongs to the Sandbox Organizational Unit (OU) to ensure a safety net to prevent recycle operation in any non-sandbox account.
- If the account is part of Sandbox OU, Create an IAM Role which the AWS CodeBuild job can assume to recycle the in-scope resources.
- If the account doesn’t belong to the Sandbox OU, the automation exits without executing any further steps.
- A Step Functions map state navigates to regions provided as input, in parallel for an account using CodeBuild remote invocation jobs to perform the following:
- Download the recycle configuration file from the central Amazon S3 bucket which specifies in-scope and out-of-scope resources for recycling.
- Start terminating the in-scope resources and sends notifications to the account owners about the activity.
- A Lambda function cleans up the IAM Role created in the earlier step to ensure the high privileged role only exists during the lifetime of the automation.
- A Lambda function checks if the account belongs to the Sandbox Organizational Unit (OU) to ensure a safety net to prevent recycle operation in any non-sandbox account.
- Another EventBridge schedule runs multiple times during the quarter to send regular notifications to the Sandbox account owners about the quarterly resource recycling event.
Controls:
Security controls are standardized safeguards, including policies, procedures, and technical configurations, that organizations implement to protect their IT resources and ensure compliance. Within AWS sandbox environments, these controls operate by automatically restricting and monitoring user actions. This allows developers to experiment freely while preventing activities that could compromise security or exceed organizational boundaries
These controls fall into two distinct categories as explained below
Preventive Controls:
Mendix team has implemented preventive Controls in the form of AWS Organizations service control policies (SCP) to prevent non-compliance in their sandbox environment like restricting sandbox account to operate only in the approved regions, protection of platform created resources from modification, deny leaving Organizations etc. These guardrails proactively block actions that violate the Organizations policies.
Detective Controls:
Mendix team leverages AWS Config to detect configuration changes and policy violations in their Sandbox environment. Additionally, they also use a third-party security monitoring tool, creating a comprehensive system that continuously assesses resource configurations and potential vulnerabilities. When non-compliant states are detected, the system automatically notifies relevant stakeholders, including the Security team and Cloud Center of Excellence. This approach ensures that any deviations from established security baselines or best practices are promptly identified and addressed
Conclusion
In this blog post, we’ve explored how Mendix transformed their cloud sandbox governance through a comprehensive four-pillar strategy: automated account provisioning, budget monitoring, resource recycling, and security controls. This approach reduced account provisioning time from days to 15 minutes, while cutting sandbox-related cloud costs by 60%. The implementation created a sustainable and efficient sandbox environment that enables Mendix to maintain strict cost control while accelerating innovation cycles.
To begin your sandbox governance journey, start by exploring AWS Control Tower’s Account Factory and AFT for automated account provisioning. Once you have the foundation in place, you can gradually implement additional governance pillars as described above to optimize your sandbox environment.