Create test environments with Sandbox account

I am thinking to sandbox accounts under Sandbox OU, so that each of the team member has their own test environments for building their own ideas. The ultimate aim is to have separate environments for production and development.

I am planning to create individual users for each of the team members. Then I will assign them to their individual account. Then grant them AdmnistratorAccess. But how do I make sure they have no access (not even view) to the production environment and the other sandbox accounts?

Production UO

-Production-account1

Sandbox OU

-Sandbox-acc1 (account)

-user1 (user)

-Sandbox-acc2 (account)

-user2(user)

-Sandbox-acc3 (account)

-user3 (user)

Topics

Management & Governance

Tags

AWS Account Management

Language

English

Lottie

asked 3 months ago296 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

Hello.

Just link the users created with IAM Identity Center so that they can access only the required AWS accounts.
For example, if "user1" only accesses the AWS account "Sandbox-acc1", by linking "user1" only to "Sandbox-acc1", he will be able to sign in only to "Sandbox-acc1".
The configuration steps are as described in the document below.
https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html

EXPERT

Riku_Kobayashi

answered 3 months ago

EXPERT

Oleksii Bebych

reviewed 2 months ago

Lottie
3 months ago
I have linked user1 to sandbox-acc1 and assign user1 permission set AdministratorAccess. Unfortunately, when login as user1, user1 is able to view the VPC created by users in the account in production OU.
Riku_Kobayashi EXPERT
3 months ago
I don't think it's possible to restrict viewing of resources within the same AWS account. If you do not want them to be able to view it, you will need to recreate the resource in a different AWS account.
Lottie
3 months ago
no not the same account. user1 in sandbox-acc1 account (Sandbox OU) is still able to view resources created by user in another account resides in Production OU. I want to restrict user1 not able to access and view resources created by users in the Production OU.
Riku_Kobayashi EXPERT
3 months ago
Which AWS account was the VPC created in? If it is created in "sandbox-acc1", it is normal for it to be viewed by "user1". If you do not want "user1" to see the VPC, you need to revoke "user1"'s privileges to operate the VPC or create the VPC in an AWS account other than "sandbox-acc1".
Lottie
3 months ago
The VPC was created by the user in the production account. However, user1 in sandbox-acc1 is able to view that VPC and all other resources created by the user in the production account.

Relevant content

mturk sandbox creates project, but production environment does not
Accepted Answer
hanzodatasci
asked 3 years ago
aws commerical sandbox account for testing
newtesteng
asked 6 months ago
How to migrate my application seamlessly from Sandbox to QA environment
Rabosian
asked 8 months ago
Sandbox All (Test) Emails from Development Server?
bscivolette
asked a year ago
How can I troubleshoot a backup policy that's not creating any jobs in my member accounts in an organization?
AWS OFFICIALUpdated a year ago
Why is my Amazon EKS pod stuck in the ContainerCreating state with the error "failed to create pod sandbox"?
AWS OFFICIALUpdated 3 months ago
Can I migrate my Amazon Connect instance from a test environment to a production environment?
AWS OFFICIALUpdated 2 years ago
How do I export a report of IAM Identity Center identities and their assignments?
AWS OFFICIALUpdated 8 months ago
Building the Ideal Kubernetes Development Environment for Your Organization’s Developers
EXPERT
Mina Gobrial - OptimeCloud
published a month ago
Configuring Codecatalyst Dev Environments
EXPERT
ryanbach-AWS
published a year ago