Sandbox per builder or team with spend limits Temporary resources and environments Wide-ranging access No access to corporate resources and non-public data Sandbox and development environments Additional Services and Functionalities Example structures

Sandbox OU

The Sandbox OU contains accounts in which your builders are generally free to explore and experiment with AWS services and other tools and services subject to your acceptable use policies. These environments are typically disconnected from your internal networks and internal services. Sandbox accounts should not be promoted to any other type of account or environment within the Workloads OU.

Sandbox per builder or team with spend limits

A common practice is to provide a sandbox account to either each builder or each small team of builders, along with cloud spend budgets to ensure that their AWS spending aligns within your policies. In more advanced scenarios, you might provide your builders and teams with the option to have multiple sandbox accounts so that they can experiment more freely with configurations that entail use of multiple accounts (for example, experimenting with cross-account IAM roles).

There is a maximum number of accounts in an organization. If you have thousands of builders and expect to allocate a sandbox environment for each builder, you might encounter the maximum quota for accounts. Refer to Quotas for AWS Organizations for more details on the maximum number of accounts in an organization.

In cases where you need more than several thousand sandbox accounts, you might consider either creating one or more separate organizations to contain the sandbox accounts or establishing a process to recycle sandboxes when they are no longer in use.

Temporary resources and environments

Unlike more persistent development environments, it’s common to set expectations with your builders that the resources they create in sandbox environments are temporary in nature. As a cost control measure and to reinforce the temporary nature of sandbox resources, you can put automated procedures in place to periodically purge the resources created in these environments. As a further measure to reduce costs, you can use the Instance Scheduler on AWS solution to automate the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS) instances based on provided schedules

Wide-ranging access

Wide-ranging access is typically provided in sandbox-oriented accounts including administrative-like access within each account, full access to most AWS services, and possibly outbound and inbound access to the internet. Access to the internet might be required to connect to AWS service APIs, download externally accessible software packages, and integrate with publicly available services.

No access to corporate resources and non-public data

Given the extent of access provided in sandbox environments, businesses typically employ a combination of guardrails and internal usage agreements to limit builders from accessing corporate resources and data from their sandbox accounts. Use of non-public data and intellectual property, including proprietary source code and binaries, is typically not allowed in sandbox environments.

Sandbox and development environments

Due to use of non-public data and the more formal nature of the work being performed in development environments, we recommend that you make a high-level distinction between sandbox environments and development environments. For example, in development environments your teams are performing more formal experiments, day-to-day development, and early testing work that requires access to your intellectual property and to enterprise services, such as source code and artifact management.

For more information about potential distinctions between your sandbox, development, and other environments, refer to the following appendices:

Additional Services and Functionalities

Common examples of monitoring capabilities that can be centrally accessed and managed using a Shared Services account include:

Instance Scheduler on AWS solution to automate the starting and stopping of Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Relational Database Service (Amazon RDS) instances based on provided schedules.

Example structures

Sandbox per builder or team

In the following example, sandbox accounts are represented for individual builders and teams. One user has two sandbox accounts so that they can perform experiments that require multiple accounts.

In support of hackathons and other events, you might also find value in creating transient sandbox accounts for temporary teams of people.

This image shows an example structure of a sandbox OU.

Example structure of Sandbox OU

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure OU

Workloads OU