Manager Guide - Innovation Sandbox on AWS
Creating and managing lease templatesApproving and rejecting leasesChoosing the right budget and duration configurationManaging leasesViewing your lease costsAccessing user accounts for troubleshooting

Manager Guide

This section describes the various actions a Manager can perform using the web UI.

Creating and managing lease templates

Managers (and Administrators) can create lease templates. A lease template defines a specific configuration that a user can choose when requesting a lease. All of your available lease templates are displayed on the Lease Templates page.

To create a lease template:

  1. In the web UI, from the left, select Lease Templates.

  2. Choose Add new lease template.

  3. On the Add a New Lease Template page, complete the required fields in the Basic details section.

    1. For Name, enter a descriptive name for your lease template so that you can easily keep track of it.

    2. (Optional) For the description, specify the intended purpose of the account type.

    3. If you would like the account associated with this template require an approval, leave the Approval required toggle as default.

Note

If you are unsure about which approval method to use:

  • For accounts that do not need any manual approval, choose No approval required. These can be accounts with a small budget, used for testing and small workloads. If you select this approval method, the account will be automatically assigned to a user when they request this.

  • For accounts that requires extra approval to grant access, choose Approval required. For example, you want to set accounts to be used by experienced users or have high budgets. If you select this approval method, you will need to manually approve the account when users request this account.

  1. Choose Next.

  2. On the Budget page, complete the required fields. See Choosing the right budget and duration configuration for more information.

    1. If you select Set a max budget, enter a value in Maximum Budget Amount. The budget is measured in $USD. This will also automatically create a threshold which will invoke the clean-up process on the associated account once the entered budget is matched.

    2. Add thresholds depending on your use case. To add a threshold, click Add a threshold. Enter a value in $USD and select an action to perform when that value is reached. You can choose an action from Send Alert or Freeze Account.

  3. Choose Next.

  4. On the Lease Duration page, complete the required fields. See Choosing the right budget and duration configuration for more information.

    1. If you select Set a maximum duration, enter a value in Maximum Lease Duration (in hours). This determines how long the lease is available for.

    2. You can optionally set thresholds if a maximum duration is set, to specify what happens as the threshold approaches. To add a threshold, click Add a threshold. Enter a value in hours and select an action to be initiated once that value is reached.

  5. Review you settings, and choose Submit to create a new lease template. Users can request a lease with this new lease template.

To modify an existing lease template:

  1. On the Lease Templates page, select the name to open the lease template you want to modify. This allows you to edit the lease template settings.

  2. Update your lease template using the tabs (Basic Details, Budget, Duration), and choose Update to update the lease template.

Note

Modifying a lease template will not affect any existing leases with the old configuration.

To delete a lease template:

  1. On the Lease Templates page, select the lease template you want to delete. This will enable the Actions dropdown.

  2. Under Actions, select Delete. Confirm your choice in the pop up message and choose Delete to delete the template.

Note

Deleting a lease template will not affect any existing leases with the deleted lease template.

Approving and rejecting leases

Certain accounts require approval to be requested for a lease. When a user requests such an account, Managers or Admins need to approve the request for the user to be granted a lease.

  1. From the left, select Approvals to view your approval requests.

  2. Select the request that you would like to approve/reject. You can select multiple requests at the same time.

  3. Using the Actions dropdown, select either Approve request(s) or Deny request(s) depending on your use case.

  4. On the dialog box asking you to confirm, select Approve or Deny.

Choosing the right budget and duration configuration

When creating lease templates, you will be prompted to set budget and duration for the lease as well as thresholds. These thresholds determine the behavior of the lease once a budget or duration is reached. In this section, we’ll explore in more details how to set these thresholds and why they are important to your Innovation Sandbox environment by looking at different use cases.

Here are the different actions that can be triggered when a threshold is reached.

Action Description

Send Alert

An alert is sent to the user notifying them that the budget or duration threshold has been reached.

Freeze account

The account is set to the Frozen state. The account is being used for a lease but the user no longer has access to the account. Administrators and Managers can still access the account for evaluation and review purposes.

Terminate account

The clean-up process will start on the account. Note that this action is only available when a maximum budget or duration is set.

To get started with this guide, follow the instructions in Creating and managing lease templates until you reach the budget section.

Budget thresholds

The budget configuration determines the spending limit for the account once leased. The thresholds are measured in $USD and actions are triggered when the account spending reaches the threshold value.

Use case 1: Not setting a budget

If you select Do not set a budget, the lease will not automatically terminate, even if spending exceeds a certain limit. We recommend using this option for experienced users. It is also recommended for these leases to require approval, so you can limit their use. Bear in mind that the lease will terminate if a maximum duration is set.

You can still set thresholds on a lease with no budget. It is encouraged that you do so users can keep track of the lease usage and take action if necessary. The figure below shows an example of a lease with no budget but with thresholds set.

Setting thresholds and no budget
Setting thresholds with no budget

In this example, an alert is sent when the budget reaches $100, $500 and $750, and the account is frozen when the budget reaches $1000. Freezing the account prevents further user activity on the account, as any active resources will continue to incur costs. It gives managers time to investigate the spending, if needed. The user can also keep track on the spending using alerts.

Use case 2: Setting a budget with thresholds

Choosing to add a budget creates an extra layer of protection around the account once it is leased. Accounts with a budget are wiped automatically when the budget is reached. The right budget for your lease can depend on multiple factors including (but not limited to):

  • The type of workloads that will be run on the accounts: For instance, you might want to set a higher budget for accounts that will be used for machine learning workloads.

  • The experience of the user: A user with little or no experience with AWS might incur more costs than an experienced user.

  • The purpose of the account: Accounts used for testing might have a lower budget than other accounts.

Note

The maximum budget you can set is limited by the maximum budget set in the Global configuration set by the administrator of your Innovation Sandbox environment. See Viewing or modifying Innovation Sandbox settings for more information.

When you set a maximum budget a threshold is automatically created for you. This threshold will wipe the account once that budget is reached.

Default threshold when a budget is set
Default threshold when a budget is set

You can also set additional thresholds to send alerts or freeze the account at different budget levels. They can be used to keep track of the spending and take action if necessary.

Duration thresholds

Use case 3: Not setting a duration

Leases with no duration will only terminate if a maximum budget is set, or if manually terminated by a manager or administrator. Hence, it is important to keep this in mind when choosing Do not set a maximum duration. In addition, choosing this option will not allow you to set any thresholds. We recommend using leases with no durations, for workloads that are expected to run for an unknown amount of time.

Use case 4: Setting a duration with thresholds

The duration configuration determines how long the account is available once leased to a user. The thresholds are measured in hours. It is important to note that the threshold’s actions are only triggered when a certain amount of hours is left.

Standard duration threshold
Standard duration threshold

In this example, an alert is sent when 5 hours are left on the lease. It gives the user time to save their work if they want. Once the lease terminates, the account goes through the clean-up process.

Managing leases

As a Manager or Administrator, you can view and manage the status of leases. Leases give users access to a temporary AWS account. Their budget and duration configuration are defined by its corresponding lease template. A lease is assigned to a user and cannot be shared.

You can view all leases on the Leases page. Under Filter options, you can filter your leases, either by lease status (Active, Pending Approval) or Lease Template assigned to the lease.

To change lease status:

  1. On the Lease page, select a lease from the list of leases.

  2. Under Actions, choose the appropriate option to Freeze, Terminate or Update a lease.

    • When a lease is frozen, the user can view leases under their accounts, but cannot access the account through the AWS console.

    • When a lease is terminated, the user loses all access to the AWS account and will need to request a new lease.

    • Updating a lease allows you to increase the budget or extend the duration of the lease.

Note

When updating a lease, you can extend or reduce the budget of the lease. If you reduce the budget and the user has already spent more than the new budget, the account will go through the clean-up process once Innovation Sandbox detects that the new budget has been reached. The detection process runs once every hour.

Important

You cannot reactivate frozen or terminated leases.

Leases states in Innovation Sandbox

This table explains the various states the leases can be in at any given time.

State Description

Active

The lease is actively being used by a sandbox user.

Frozen - Threshold Reached

The lease has reached the predefined freeze threshold based on either spend, or lease duration. Sandbox users will no longer have access to the lease but the account could still have active AWS Resources running in it, that you will be billed for. The We recommend Admin review and eject the account out of the account pool.

Pending Approval

The lease request is pending approval from an Admin or a Manager.

Approval Denied

The lease request has been denied by an Admin or a a Manager.

Lease Duration Expired

The lease has reached its predefined maximum lease duration and the resources in the account are being cleaned up.

Lease Manually Terminated

The lease has been manually terminated by an admin or a sandbox manager and the resources in the account are being cleaned up.

Account Quarantined

The clean up process failed to terminate some of the resources in the account and manual intervention is required by the Admin to complete clean up. We recommend the Admin manually clean up the remaining resources in the account and initiate Retry Cleanup to complete the clean up process.

Account Manually Ejected

An Admin has manually ejected the account out of account pool.

Viewing your lease costs

As a Manager or Administrator, you can view the costs incurred by the leases. This allows you to keep track of the costs of your leased accounts.

You can view all leases on the Leases page. Each lease will display the amount spent on the lease so far under the Budget column. If the lease has a fixed budget, you will be shown a progress bar, showing how close the lease is to reaching the budget. All leases will also display the current spent inside the lease.

By default, the Leases page will only display the Active and Frozen leases. If you’d like to see the costs incurred by terminated leases, you can use the Status filter.

Administrators with access to the organization’s management account can access the AWS Cost Explorer console for full data on spending in their organization.

Note

Cost Explorer refreshes your cost data at least once every 24 hours. For more information, refer to the Analyzing your costs and usage with AWS Cost Explorer page.

Accessing user accounts for troubleshooting

Managers or Administrators may need to access a user’s AWS account for troubleshooting.

To access a user’s account, from the Leases page, find the lease corresponding to the account. If the lease is active, the Login to account option will be visible under the Access column. This will allow you to access the AWS Access portal, where you can log in using one of the available IAM roles.