Adding new accounts to the account pool Managing existing accounts Viewing or modifying Innovation Sandbox settings

Administrator Guide

This section describes the various actions an Administrator can perform using the web UI.

Adding new accounts to the account pool

As an Administrator, you can add new AWS accounts to your account pool using the web UI. Adding new accounts will increase the number of accounts you can lease to your end users, allowing them to work with temporary AWS accounts. After you add new accounts to the account pool, you can lease these accounts to users.

Important

You will need to create the AWS accounts and add them to your organization before adding them to the account pool. The Innovation Sandbox solution cannot create new accounts for you.

From the AWS Organizations console in your org management account, move accounts that you want to onboard into the Entry OU located under the <NAMESPACE>_InnovationSandboxAccountPool OU. This will stage them to be registered with the solution.
In the solution web UI go to the Administration dropdown and choose Accounts. This will display the Accounts page.
From the top right, choose Add accounts. The list of available accounts will only include those located in the Entry OU.
From the list of available accounts, choose the accounts you want to add to the Account pool, and choose Register.
Review your selections and choose Submit to add the selected accounts to your Account pool.

Resolving Account Cleanup Failures

During the account registration process the sandbox accounts go through an initial cleanup process. In some cases the account may fail cleanup and be placed into the Quarantine status. In most cases the cleanup failure is due to resources created by services that integrate with AWS Organizations that you may have enabled such as AWS CloudTrail, AWS Security Hub, or Amazon GuardDuty.

In the event that the cleanup process fails in your deployment when registering accounts you will need to modify the AWS Nuke configuration file to filter out the protected resources.

First we must discover the resources that should be ignored for your environment:

In the Hub account navigate to the AWS Step Functions console and choose the account cleaner state machine starting with AccountCleanerStepFunctionStateMachine.
Choose one of the recent executions with a Failed status.
From the Details tab, copy the executionId provided at the top of the page (It will be in a format like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
Navigate to the Amazon CloudWatch Logs Insights console.
Choose Saved and sample queries from the menu on the right.
Expand the group name ISB-<namespace> and choose the AccountCleanupLogs query.
In the query editor replace the PasteStateMachineExecutionIdHere text with the executionId you copied previously.
Ensure that the time range you selected includes the time of the cleanup failure.
Choose Run query, this will display any resources that failed to be cleaned up.
Make a note of any of the resource types in the resourceType column that should be filtered out.

Now we must update the AWS Nuke configuration file to ignore these resources:

In the Hub account navigate to the applications page in the AWS AppConfig console.
Choose the application starting with InnovationSandboxData-Config-Application.
Choose the configuration profile starting with InnovationSandboxData-Config-NukeConfigHostedConfiguration. This is the AWS Nuke config file for the solution.
To update the configuration file choose Create version.
Use the resource types noted in the previous steps to modify the filter to ignore them. Refer to the AWS Nuke Config documentation for details on how to update filters.
Once you have made your modifications, choose Create hosted configuration version.
Then choose Start deployment to update the nuke configuration for the solution.

Assuming you have appropriately modified the filters for your environment you can now retry the cleanup process:

Return to the solution web UI and navigate to the Accounts page.
Select any accounts that are in the Quarantine status.
Under the Actions menu, choose Retry cleanup.

This will reinvoke the cleanup process on the account with the new AWS Nuke configurations.

Note

If the cleanup process continues to fail, you may have missed a resource that needs to be filtered out. Repeat the steps above to add the appropriate filters to your AWS Nuke config file for other resources failing the cleanup that should be filtered out.

Account states in Innovation Sandbox

This table explains the various states the account can be in at any given time. Administrators (or anyone) cannot change these states manually.

State	Description
Available	The account is in the pool and ready to be used as part of a lease.
Active	The account is being used for a lease.
Frozen	The account is being used for a lease but the user no longer has access to the account. Administrators and Managers can still access the account for evaluation and review purposes. Note: This is an optional state. You will need to configure the account to freeze during the lease template creation. See Creating and managing lease templates for more information.
CleanUp	The account is going through the clean-up process.
Quarantine	Accounts that fail to complete the automated clean-up will be quarantined and an Admin will need to manually resolve any resources that failed to delete. After manual remediation, the account will go back into the clean-up state for a final clean-up process.

Account lifecycle in Innovation Sandbox

For more information, refer to the Account lifecycle section.

Managing existing accounts

As an Administrator, you can manage any existing accounts. This allows you to manually perform account lifecycle actions such as removing accounts from the pool, and retrying the clean-up process.

Account management options

To manage accounts:

From the Administration dropdown, navigate to the Accounts page.
Select the accounts you want to manage to enable the Actions dropdown. Using the Actions dropdown, you can perform these actions for the selected accounts.

Action	Description
Eject account	Removes the account from the pool of available accounts. Note: Administrators can also eject in-use accounts. For example, they might want to preserve work beyond the lease or move the account away from the management provided by Innovation Sandbox.
Retry cleanup	Restarts the clean-up process for that account. By default, lapsed or inactive accounts will be cleaned on a periodic basis. If an account cannot be cleaned, Administrators can manually resolve any issues, and use this option to restart the clean-up process. For example, for accounts in a Quarantine state.

Action

Description

Eject account

Removes the account from the pool of available accounts.

Note: Administrators can also eject in-use accounts. For example, they might want to preserve work beyond the lease or move the account away from the management provided by Innovation Sandbox.

Retry cleanup

Restarts the clean-up process for that account. By default, lapsed or inactive accounts will be cleaned on a periodic basis. If an account cannot be cleaned, Administrators can manually resolve any issues, and use this option to restart the clean-up process. For example, for accounts in a Quarantine state.

Viewing or modifying Innovation Sandbox settings

You can view your Innovation Sandbox settings in the Settings section of the Administrator dropdown.

To view the current settings, access the AWS AppConfig console in the Hub account, or use the Settings section in the web UI.

Innovation Sandbox AppConfig application overview

You cannot modify any settings directly using the web UI. To modify these settings, this solution uses AWS AppConfig accessible from within the Hub account.

You can manage these two configuration profiles from the AWS AppConfig console in the Hub account:

Nuke configuration: This configuration determines how AWS Nuke behaves when cleaning your accounts. For more information on AWS Nuke, refer to the AWS Nuke documentation.
Global configuration: This is where you set general settings for your Innovation Sandbox solution. This includes setting the maximum budget and maximum duration for a lease, writing the terms of service and other settings. For more information on these settings, see Global configuration settings.

Configuration profile overview

Modify configuration

To modify either configuration:

Choose the configuration you want to modify, and under the Hosted configuration versions section, choose Create. This will open a page where you can modify the configuration file.
To update your setting, make your changes and choose Create hosted configuration version.
To deploy your changes to Innovation Sandbox, choose Start deployment. The Deployment details page displays.
Under the Deployment details section, keep the Environment and Deployment strategy parameters set to their default values.
Select the version you want to deploy and choose Start deployment.

This will create and deploy a new version of your configuration. Note that all hosted configurations are versioned. You can roll back to a previous version by starting a new deployment and selecting a previous version.

Note

After the deployment is successful, you may notice a brief delay as the new settings are deployed to the Innovation Sandbox environment.

Global configuration settings

The following table includes all of the global configuration settings you can set or modify in Innovation Sandbox.

Setting	Type	Description
termsOfService	String	Terms of service that are presented to the user. You can customize this with your own words on how users should responsibly use their sandbox account and what they are responsible for.
maintenanceMode	Boolean	If set to true, restricts access of all personas except Admins. This allows Admins to perform sensitive maintenance work like setup, troubleshooting, upgrading, or teardown.
leases.maxBudget	Number	The maximum budget that a lease template can be created with. Use this setting to globally enforce that a lease never has a budget over x amount.
leases.requiremaxBudget	Boolean	Flag that determines whether or not LeaseTemplates must be created with a maximum budget.
leases.maxDurationHours	Number	The maximum duration that a lease template can be created with. This is a way to globally enforce that a lease never has a duration over x amount. This is measured in hours.
leases.maxDurationThresholds	Number	The maximum duration thresholds (in hours).
leases.requiremaxDuration	Boolean	Flag that determines whether or not LeaseTemplates must be created with a maximum duration.
leases.maxLeasesPerUser	Number	The maximum number of leases one user can hold concurrently. This includes leases pending approval.
cleanup.numberOfFailedAttemptsToCancelCleanup	Number	The number of times AWS Nuke will fail before the clean-up process is deemed to have failed.
cleanup.waitBeforeRetryFailedAttemptSeconds	Number	The number of seconds to wait between retrying clean-up after a failed attempt
cleanup.numberOfSuccessfulAttemptsToFinishCleanup	Number	The number of times AWS Nuke will need to succeed before the clean-up is deemed to be a success.
cleanup.waitBeforeRerunSuccessfulAttemptSeconds	Number	The number of seconds to wait between retrying clean-up after a successful attempt.
notification.emailFrom	String	Email that Amazon SES uses to send email notifications from.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Logging into the web UI

Manager Guide