Best practices for establishing AWS Sandbox accounts for your organization

1
T E A M W O R K . N E T
Sandbox Strategy
Best practices for establishing AWS Sandbox
accounts for your organization

HI!
AWS Solutions Architect for over 8 years
AWS Authorized Instructor
AWS Community Builder since March 2024
Lead Architect in 2 CCoEs
SYLVAIN BRUAS
Senior Cloud Consultant
AWS Authorized Instructor
AWS Community Builder
AWS User Group Leader Geneva
ANDA-CATALINA GIRAUD

WHY SANDBOXES?
Copyright : Marvel / Sony Pictures Entertainment
Developers:
« I want a space where I can test anything I want »

WHY SANDBOXES?
BUT
With great power
comes
great (Financial and Security) responsibilities
Copyright : Marvel / Sony Pictures Entertainment
Developers:
« I want a space where I can test anything I want »
Uncle Ben

OUR C.T.O.
"Ok to have a general-purpose sandbox."
I need advice on several subjects:
q Governance: One or more sandboxes?
q Data: How to protect our data?
q Security: How to connect to sandboxes?
q Network: How to isolate sandbox from our landing zone?
q Costs: How to avoid high costs?
Well
Architected
Framework

6
SANDBOX
BASICS
2 0 2 4

WHAT IS A SANDBOX?
Sandbox is:
Heavily insulated
Used for training and to learn
Used to test new tools

WHAT IS A SANDBOX?
Sandbox is:
Heavily insulated
Used for training and to learn
Used to test new tools
Sandbox is NOT:
A development or testing
environment
Designed to host real data

ONE OR MORE ACCOUNT(S)?
Linked to
teams / company size
and
compliance requirements
One account
Faster setup
Costs analytics complex
Increased blast radius
Hard clean up
wayhomestudio on Freepik
Multiple accounts
Run at scale model
Cost analytics easier at
account level
One account by user or
team or by BU
Clean up -> delete account

SANDBOX
FOUNDATIONS
2 0 2 4

PUT OWNERSHIP IN PLACE
To be aligned with FinOps best practices, everyone must provide:
• A clear reason to use sandboxes (least privileges)
• An agreement with his/her manager to assume costs
• A realistic end date for their access
• A cost estimate is a plus
Every sandbox user is accountable for Costs and Security issues.
Governance or CCoE teams will provide training, documents, tools
and support to avoid all issues.

OWNERSHIP EVERYWHERE
Goal: Each user's resources must be clearly identified
Use of tag on every resource
Enforcement with:
• Tag policies
• SCPs
• Config rules
AWS
Lambda
AWS
Config
AWS
CloudTrail
AWS
Organization
Owner

By default:
• Only 1 region is allowed, based on user location (us-east-1, eu-west-1 or ap-southeast-1)
• N.Virginia (us-east-1) is open only for global services
• On-demand extra regions for specific use cases (DRP, S3 replication tests, networking tests…)
REGIONS
AWS
CloudTrail
AWS
Organizations
SCPs

SANDBOX
SECURITY
2 0 2 4

DATA SECURITY
Amazon
Macie
Amazon
GuardDuty
AWS
CloudTrail
The Economist, 2017, David Parkins
Security team views sandboxes as outside of landing zone
Utilizing real data constitutes a security breach and may result in
loosing your job
No real data No real data model

ROLES AND BOUNDARIES (IAM)
4 Sandbox roles:
Admin
Default Security
Network
Nearly admins, with few limitations:
• AWS Marketplace
• IAM user creation
• Control internet-facing endpoints
• ….

CONNECTIVITY
Allow
• AWS console connexion through AWS identity center
• Use AWS SSM to connect to instances
• CIDR /32 addresses for home office
Deny
• Connect to on-premise, non-prod and prod VPCs
• Security group rule 0.0.0.0/0
CCoE Provide prefix lists with office public IPs. They can be used
in Security group rules for HTTP/HTTPS
AWS
Lambda
AWS
Config
AWS
CloudTrail
AWS
IAM Identity
Center
Amazon
GuardDuty
AWS
Systems Manager

CONTROL AND COMPLIANCE
• Observability on sandbox is mandatory!
Ø AWS Cloudtrail sent to SOC team for analysis
Ø AWS Config to identify no compliant resources and
apply remediations
Ø Macie can be used for PII (not deployed)
• Remediations using AWS Config and AWS Lamba
AWS
Lambda
AWS
Config
AWS
CloudTrail
Amazon
Macie
AWS
Cloudwatch
Amazon
EventBridge

SANDBOX
AUTOMATION
AND SERVICES
2 0 2 4

TOOLKIT
Infra as Code:
• AWS Cloudformation / AWS Cloudformation stacksets
• CDK
• Terraform
Tools:
• A secure cloud: https://asecure.cloud/
• Cloud Custodian: https://cloudcustodian.io/
• Prowler: https://github.com/prowler-cloud/prowler
• AWS nuke: https://github.com/rebuy-de/aws-nuke
• Cloud Intelligence Dashboards: https://catalog.workshops.aws/awscid/

FINOPS
AUTOMATION
2 0 2 4

FINOPS AUTOMATION
Automation to control costs:
• Every EC2 instances and databases are stopped at 7PM
• Cost anomaly detection on all accounts
• AWS budget to observe spent evolution
• Automatic detection of used services (NAT Gateway, VPC
Endpoints …)
• Sandbox costs included in Cloud Intelligence Dashboards
AWS
Lambda
AWS
CloudTrail
Amazon
EventBridge
AWS
Budgets
Amazon
QuickSight

FINOPS LIMITS
Add guardrails to limits unwanted spent:
• Limit access to AWS Marketplace
• Limit access to some instance types & size (ie. x1e.32xlarge)
• Reserved instances
• Limit access to some services (ie. AWS Shield Advanced)
AWS
Budgets
AWS
Organization

A FEW LAST
WORDS
2 0 2 4

OUR C.T.O.
I need advice on several subjects:
Governance: One or more sandboxes?
Data: How protect our data?
Security: How to connect to sandboxes?
Network: How to isolate sandbox from our landing zone?
Costs: How to avoid high costs?
Well
Architected
Framework

TAKEAWAY : SANDBOX STRATEGY IN 5 POINTS
1. Security is Job 0: protect your landing zone
and your data
2. Ownership everywhere
3. Sandboxes are not limitless, but nearly J
4. Cost tracking is mandatory
5. Automation is the best but define your
sandbox strategy is the main goal!

Best practices for establishing AWS Sandbox accounts for your organization

More Related Content

Similar to Best practices for establishing AWS Sandbox accounts for your organization (9)

Recently uploaded (20)

Best practices for establishing AWS Sandbox accounts for your organization