# Deploy the solution Deploy the solution This solution uses [AWS CloudFormation templates and stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-whatis-concepts.html) to automate its deployment. 1. The CloudFormation template specifies the AWS resources included in this solution and their properties. 1. The CloudFormation stacks provision the resources that are described in the template. ## Deployment process overview Follow the step-by-step instructions in this section to configure and deploy the solution into your account. **Time to deploy:** Approximately 60 minutes Before you launch the solution, review the [Cost](cost.md), [Architecture](architecture-overview.md), [Network security](security-1.md), and other considerations discussed in this guide. # Prerequisites Before launching the stacks, you must meet the following prerequisites: 1. **Identify the AWS account where you want to deploy the solution**: Use the [AWS Management Console](https://console.aws.amazon.com/console/home) to identify and name this as the **Hub** account. We recommend you dedicate this account for running the solution with no other workloads running in the account. 1. **Verify your home Region**: You must deploy all the stacks in the same AWS Region, and enable the Identity Center (IDC) in the same home Region. If you have already enabled IDC, use that Region as your home Region. 1. **Ensure you have set up an [AWS Organization](https://docs.aws.amazon.com/organizations/) to deploy the solution into**: AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. For more information on how to get started, refer to the [Creating and configuring an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html) tutorial. 1. **Ensure you have enabled Service Control Policies with Organizations**: For more information, refer to [Managing organization policies with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html). 1. **Ensure you have enabled and set up AWS IAM Identity Center**: [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/) is used to centrally manage access to your AWS accounts and applications. Enable IAM Identity Center at the organizational level, either using the Organization Management account or a delegated administration account. + To enable IAM Identity Center, open the IAM Identity Center console, select your home Region, and on the main page, for Enable IAM Identity Center, choose **Enable**. 1. **Configure Amazon SES for the application to send email notifications**: Set up SES for the solution and request production access using the Hub account. For more information, refer to [Setting up Amazon SES](https://docs.aws.amazon.com/ses/latest/dg/setting-up.html) and [Requesting production access](https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html). 1. **Enable resource sharing using AWS Resource Access Manager (RAM)**: For more information on how to set this up, refer to [Enable resource sharing within AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs). 1. **Activate trusted access for CloudFormation StackSets**: AWS CloudFormation StackSets extends the capability of stacks by allowing you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. For more information on how to activate trusted access, refer to [Activate trusted access for stacksets with AWS Organizations](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-activate-trusted-access.html). 1. **Enable Cost Explorer on the Org Management account**: Ensure that you have enabled Cost Explorer for tracking costs. For more information, refer to [Enable Cost Explorer](https://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html). Note that Cost Explorer requires approximately 24 hours to be enabled for your account. 1. **Dedicated AWS Lambda concurrent executions limit**: Use [AWS Service Quotas](https://console.aws.amazon.com/servicequotas/home/services/lambda/quotas/L-B99A9384) in your AWS console to verify your AWS Lambda concurrent executions. + The Applied quota value in your account should be greater than or equal to the AWS default quota value (which is 1000). If the Applied quota value is less than 1000, select the **Request quota increase** button to request an increase to this value to at least 1000 before deploying the solution. For more information, refer to the [AWS Lambda Developer Guide](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-limits.html). 1. **Ensure that all accounts used are members of the AWS Organization**: The deployment will fail if this is not the case. # AWS CloudFormation templates This solution uses AWS CloudFormation to automate the deployment of Innovation Sandbox on AWS in the AWS Cloud. It includes the following CloudFormation template, which you can download before deployment. ## AccountPool stack [https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-AccountPool.template](https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-AccountPool.template) **InnovationSandbox-AccountPool.template** - Use this template to deploy the resources required to set up Organizational Units (OUs), Service Control Policies (SCPs), roles, and Regions. ## IDC stack [https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-IDC.template](https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-IDC.template) **InnovationSandbox-IDC.template** - Use this template to deploy the resources required to set up IDC, including mappings, roles, policies, and other configuration. ## Data stack [https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Data.template](https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Data.template) **InnovationSandbox-Data.template** - Use this template to deploy the data resources required for the application. This stack also contains the AWS AppConfig hosted configurations for the solution’s global configurations and Nuke configurations. ## Compute stack [https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Compute.template](https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Compute.template) **InnovationSandbox-Compute.template** - Use this template to deploy the compute resources required for the ISB application. This stack contains all of the stateless (compute) resources used by the solution, including the web application and the event infrastructure. **Important** The **SandboxAccount** stack is automatically configured as a service-managed StackSet resource in the **AccountPool** stack using the **AccountPool OU** as deployment target. The stack contains a single **Spoke** role that is assumed into by compute resources in the compute stack to run the account clean-up job. These AWS CloudFormation templates deploy the Innovation Sandbox on AWS solution in the AWS Cloud. # Launch the stacks You must gather deployment parameter details before deploying the stacks. For details, refer to [Prerequisites](prerequisites.md). **Time to deploy:** Approximately 60 minutes You must deploy these four stacks for the Innovation Sandbox solution in the following order. Failing to do so will result in deployment failures. 1. [Step 1: Deploy the `AccountPool` stack](step1-deploy-accountpool-stack.md) 1. [Step 2: Deploy the `IDC` stack](step2-deploy-idc-stack.md) 1. [Step 3: Deploy the `Data` stack](step3-deploy-data-stack.md) 1. [Step 4: Deploy the `Compute` stack](step4-deploy-compute-stack.md) # Step 1: Deploy the AccountPool stack In this step, you will deploy the resources required to set up Organizational Units (OUs), Service Control Policies (SCPs), roles, and Regions. **Important** Ensure that you log into the **Org Management** account for deploying the AccountPool stack. **Note** Refer to [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions) for a list of supported AWS Regions. 1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select the button to launch the `AccountPool` stack CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-AccountPool.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-AccountPool.template&redirectId=ImplementationGuide) The template launches in the US East (N.Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar. 1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box, and choose **Next**. 1. On the **Specify stack** details page, enter a stack name for your solution stack. For information about naming character limitations, see [IAM and AWS STS quotas, name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the AWS Identity and Access Management User Guide. 1. Under **Parameters**, review the parameters for this solution template and modify them as necessary. This solution uses the following default values. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/step1-deploy-accountpool-stack.html) 1. Choose **Next**. 1. On the **Configure stack options** page, review and select to acknowledge the messages under **Capabilities and transforms**, and choose **Next**. 1. On the **Review and create** page, review and confirm the settings. 1. Choose **Submit** to deploy the stack. You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a **CREATE\$1COMPLETE** status in approximately 60 minutes. **Note** Always include `us-east-1` as an ISB Managed Region to enable AWS global services. For example, if you want to enable `eu-west-1`, the parameter value should be `us-east-1,eu-west-1`. # Step 2: Deploy the IDC stack In this step, you will deploy the resources required to set up IDC, including mappings, roles, policies, and other configuration. **Important** Ensure that you log in using the account where you have configured the IAM Identity Center Instance for your AWS Organization. This can be either the Organization Management account or a delegated administration account that has been configured for IAM Identity Center. **Note** **Using a Delegated Administration Account for IAM Identity Center**: AWS recommends using a delegated administration account for IAM Identity Center rather than the Organization Management account for security best practices. If you are using a delegated administration account, ensure that: The delegated administration account has been properly configured for IAM Identity Center You deploy the IDC stack in the delegated administration account You provide the Organization Management account ID in the **Org Management Account Id** parameter (not the delegated admin account ID) For more information on setting up delegated administration for IAM Identity Center, refer to the [AWS IAM Identity Center delegated administration documentation](https://docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html). 1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select the button to launch the `IDC` stack CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-IDC.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-IDC.template&redirectId=ImplementationGuide) The template launches in the US East (N.Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar. 1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box, and choose **Next**. 1. On the **Specify stack** details page, enter a stack name for your solution stack. For information about naming character limitations, see [IAM and AWS STS quotas, name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the AWS Identity and Access Management User Guide. 1. Under **Parameters**, review the parameters for this solution template and modify them as necessary. This solution uses the following default values. **Important** When using an external identity provider with SCIM integration (such as Microsoft Entra or Okta), you must create the ISB user groups in the external provider using the exact names specified in the group name parameters below, or the default names if left empty. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/step2-deploy-idc-stack.html) 1. Choose **Next**. 1. On the **Configure stack options** page, review and select to acknowledge the messages under Capabilities and transforms, and choose **Next**. 1. On the **Review and create** page, review and confirm the settings. 1. Choose **Submit** to deploy the stack. You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a **CREATE\$1COMPLETE** status in approximately 60 minutes. # Step 3: Deploy the Data stack In this step, you will deploy the data resources required for the ISB application. **Important** Ensure that you are logged in using the **Hub** account for deploying the Data stack. 1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select the button to launch the `Data` stack CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Data.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Data.template&redirectId=ImplementationGuide) The template launches in the US East (N.Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar. 1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box, and choose **Next**. 1. On the **Specify stack** details page, enter a stack name for your solution stack. For information about naming character limitations, see [IAM and AWS STS quotas, name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the AWS Identity and Access Management User Guide. 1. Under **Parameters**, review the parameters for this solution template and modify them as necessary. This solution uses the following default values. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/step3-deploy-data-stack.html) 1. Choose **Next**. 1. On the **Configure stack options** page, review and select to acknowledge the messages under Capabilities and transforms, and choose **Next**. 1. On the **Review and create** page, review and confirm the settings. 1. Choose **Submit** to deploy the stack. You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a **CREATE\$1COMPLETE** status in approximately 60 minutes. # Step 4: Deploy the Compute stack In this step, you will deploy the compute resources required for the ISB application. **Important** Ensure that you are logged in using the **Hub** account for deploying the Compute stack. 1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select the button to launch the `Compute` stack CloudFormation template. [https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Compute.template&redirectId=ImplementationGuide](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?&templateURL=https://solutions-reference.s3.amazonaws.com/innovation-sandbox-on-aws/latest/InnovationSandbox-Compute.template&redirectId=ImplementationGuide) The template launches in the US East (N.Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar. 1. On the **Create stack** page, verify that the correct template URL is in the **Amazon S3 URL** text box, and choose **Next**. 1. On the **Specify stack** details page, enter a stack name for your solution stack. For information about naming character limitations, see [IAM and AWS STS quotas, name requirements, and character limits](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html) in the AWS Identity and Access Management User Guide. 1. Under **Parameters**, review the parameters for this solution template and modify them as necessary. This solution uses the following default values. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/solutions/latest/innovation-sandbox-on-aws/step4-deploy-compute-stack.html) 1. Choose **Next**. 1. On the **Configure stack options** page, review and select to acknowledge the messages under Capabilities and transforms, and choose **Next**. 1. On the **Review and create** page, review and confirm the settings. 1. Choose **Submit** to deploy the stack. You can view the status of the stack in the AWS CloudFormation Console in the Status column. You should receive a **CREATE\$1COMPLETE** status in approximately 60 minutes.