What does this AWS Solutions Implementation do?
This solution implementation deploys secure, self-contained, isolated environments to allow developers, security professionals, and infrastructure teams to safely experiment with AWS services and third-party applications that run on AWS. These sandbox environments leverage Amazon AppStream 2.0 for browser-based access and provides security controls to prevent data risks, such as data exfiltration, accidental file transfers, and communication with local networks.
Benefits
Create sandbox accounts within your existing AWS Organizations account for networking isolation and to keep existing accounts secure.
Implement secure controls using custom IAM roles that allow users to experiment freely in an isolated environment.
Audit sandbox activities using secured Amazon CloudTrail logs.
Isolate data used in the sandboxes and prevent users from uploading data directly from their local network.
AWS Solutions Implementation overview
The diagram below represents the architecture flow you can automatically deploy using the solution’s implementation guide and accompanying AWS CloudFormation template.
AWS Innovation Sandbox Solutions Implementation architecture
This solution deploys two AWS CloudFormation templates in your AWS Organizations account and sets up the following:
- The first AWS CloudFormation template creates two new AWS accounts and two new organizational units (OUs):
- An organizational unit containing the management account, an Amazon Virtual Private Cloud (Amazon VPC) running a NAT gateway, an AWS Transit Gateway, and an internet gateway.
- An organizational unit containing the sandbox account and an Amazon VPC.
- The solution’s sandbox account has no direct access to the Internet. Ingress and egress traffic to this sandbox account are routed through AWS Transit Gateway to the solution’s management account. Access to the sandbox account is restricted via the AWS Identity and Access Management (IAM) condition key aws:SourceIp, to allow access only from the management account (allowing for a self-contained environment).
- An Amazon AppStream 2.0 image is created by the customer with required applications and tools.
- The second CloudFormation template uses the image created in Step 3 to launch an Amazon AppStream 2.0 instance fleet, where end users connect to access the sandbox account.
For redundancy, the Amazon VPCs are created with subnets in two Availability Zones (AZs) for high availability. The NAT gateway and Amazon AppStream 2.0 fleet are deployed across these two AZs. The Transit Gateway are connected to both subnets.
AWS Innovation Sandbox
Version 1.0.0
Released: 08/2021
Author: AWS
Estimated deployment time: 30 min
Browse our library of AWS Solutions to get answers to common architectural problems.
Find prescriptive architectural diagrams, sample code, and technical content for common use cases.