What does this AWS Solutions Implementation do?

This solution implementation deploys secure, self-contained, isolated environments to allow developers, security professionals, and infrastructure teams to safely experiment with AWS services and third-party applications that run on AWS. These sandbox environments leverage Amazon AppStream 2.0 for browser-based access and provides security controls to prevent data risks, such as data exfiltration, accidental file transfers, and communication with local networks.


Account isolation

Create sandbox accounts within your existing AWS Organizations account for networking isolation and to keep existing accounts secure.

Security guardrails

Implement secure controls using custom IAM roles that allow users to experiment freely in an isolated environment.

Auditing controls

Audit sandbox activities using secured Amazon CloudTrail logs.

Secure and manage data transmissions

Isolate data used in the sandboxes and prevent users from uploading data directly from their local network.

AWS Solutions Implementation overview

The diagram below represents the architecture flow you can automatically deploy using the solution’s implementation guide and accompanying AWS CloudFormation template.

AWS Innovation Sandbox | Architecture Flow Diagram
 Click to enlarge

AWS Innovation Sandbox Solutions Implementation architecture

This solution deploys two AWS CloudFormation templates in your AWS Organizations account and sets up the following:

  1. The first AWS CloudFormation template creates two new AWS accounts and two new organizational units (OUs):
  2. The solution’s sandbox account has no direct access to the Internet. Ingress and egress traffic to this sandbox account are routed through AWS Transit Gateway to the solution’s management account. Access to the sandbox account is restricted via the AWS Identity and Access Management (IAM) condition key aws:SourceIp, to allow access only from the management  account (allowing for a self-contained environment).
  3. An Amazon AppStream 2.0 image is created by the customer with required applications and tools.
  4. The second CloudFormation template uses the image created in Step 3 to launch an Amazon AppStream 2.0 instance fleet, where end users connect to access the sandbox account.

For redundancy, the Amazon VPCs are created with subnets in two Availability Zones (AZs) for high availability. The NAT gateway and Amazon AppStream 2.0 fleet are deployed across these two AZs. The Transit Gateway are connected to both subnets.

AWS Innovation Sandbox

Version 1.0.0
Released: 08/2021
Author: AWS

Estimated deployment time: 30 min

Estimated Cost Source Code  CloudFormation template 
Use the button below to subscribe to updates for this Solutions Implementation.
Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.
Did this Solutions Implementation help you?
Provide feedback 
Build icon
Deploy a Solution yourself

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an APN Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Explore icon
Explore Solutions Consulting Offers

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.

Learn more