CONTACT US

Step-by-step guide

Sandbox Account Setup

Goal

Create a new sandbox AWS account under your existing AWS Organization and log in as its administrator.

Prerequisites

  • You must have Organizations: Full access permissions in the management (root) account.
  • You should already be signed into the AWS Management Console as an IAM Identity Center (SSO) or root user with admin privileges.
I need to set up sandbox account
I already have a sandbox account

Sandbox account creation instructions

Here’s a step-by-step, business-friendly console guide for creating and logging into a new AWS account within an AWS Organization (for sandbox or experimental use):

Step-by-Step Instructions

1

Open AWS Organizations

  1. Sign in to your management account.
  2. In the AWS Console, go to: https://console.aws.amazon.com/organizations
2

Create a New AWS Account

  1. In the left panel, select Accounts.
  2. Choose Add an account → Create an AWS account.
  3. Fill out the form:
  • Account name: Sandbox – <TeamName or Purpose>
    (e.g., “Sandbox – AI Experiments”)
  • Email address: Use a unique alias
    (e.g., sandbox+ai@yourcompany.com).
  • IAM role name (optional): Keep the default OrganizationAccountAccessRole unless your org uses a custom naming policy.
  1. Click Create AWS account.

It will take a few minutes for AWS to provision the account.
Once done, you’ll see it listed under Accounts → Status: Active.

3

Assign the Account to the Right OU (Optional)

  1. From the Accounts page, select the new account.
  2. Click Move, then choose your Sandbox OU (Organizational Unit).
  • This helps apply sandbox-specific SCPs, budgets, or tagging policies automatically.
4

Log Into the New Account

You have two main options:

Option A — Using AWS IAM Identity Center (recommended)
  1. Go to your SSO portal: https://.awsapps.com/start.
  2. Find the Sandbox account.
  3. Choose the AdministratorAccess role (or equivalent).
  4. You’ll be redirected to the AWS Console for that account.
Option B — Using the Root Login (for initial setup)
  1. Go to https://signin.aws.amazon.com/.
  2. Sign in with the sandbox email address used during creation.
  3. Click Forgot password to set a new password if needed.
  4. Once in, enable MFA and update the contact information.

Summary

You’ve now:

  • Created a new sandbox account under your Organization
  • Logged in securely (via SSO or root)
  • Optionally moved it into a Sandbox OU and tagged it for clarity
5

Now Continue Through the Bootstrap Instructions

Bootstrap instructions for NMD access

In order to build the solution in your environment we will need access to the project sandbox environment. This process usually takes only 10 minutes to complete.

Prerequisite: Sandbox account setup

You will need the following XML file(GoogleIDPMetadata.xml) for step 8 below:

				
					<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://accounts.google.com/o/saml2?idpid=C03vzt6hn" validUntil="2026-02-08T19:34:00.000Z">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDdDCCAlygAwIBAgIGAXeISVJKMA0GCSqGSIb3DQEBCwUAMHsxFDASBgNVBAoTC0dvb2dsZSBJ
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGDAWBgNVBAsTD0dv
b2dsZSBGb3IgV29yazELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwHhcNMjEwMjA5
MTkzNDAwWhcNMjYwMjA4MTkzNDAwWjB7MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEPMA0GA1UEAxMGR29vZ2xlMRgwFgYDVQQLEw9Hb29nbGUgRm9yIFdvcmsx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAqKjXZa7wHzsQ7JTAU3Fp2lukxpjmCDcJ9AkvXgkIKR+ATrlD2+a3u8dOfvHvOvBY
yn+47d0DmjDBr0rcThI6vHWghDxV/Kz50/vE43rtrqEYATxWtnsWjjYeeTfGwNLx/lz0dlyB+Q5I
ig0/s9mTW6km8DEA7Bl/FIpoXniYvyfDn8dxSsHzuwS0R0rbdPzDceN5HDCziDHMEbZhYyCHj7sv
mPynJkRZTGnFAxkBDASTzZvD4dW/35Vftl/5YExi8jkUstJR7UvV/dJMCsNolhngNVwuJyofF/vZ
64EVszzRmN6k2FyzRX/wq3bONnP03LWgOAhWrC2KkeDT3RDxgwIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQAZP5MVqePz+XChN2A9tgjudpLLAJKcrJ0Gi1InnaW4RiQ0TbsxagG22DNoCYMyXuTd9mxO
cmxAkquODKhlcae6qf97A8o2Kv3iHdhBd1t2sPkevG29CaoZk0zOTimLGfJtDI8Lo+hrp+CwIyw8
vyfRbGmxINd2KV5Klp1JM3mRRLujA9aVsM9Kc16IKEvj5yDt1FjoFyNX9O4gtSqHq2K3kMm3gCtI
4stVECvzE8bVcpmApc/mhgWdnDCVt/T1p1YUeYVuBCp1y7YZ8KNAgrZOImp0KSuC+TmgjuiRCwnP
vgGyGff5wdyMaIz3mLBUVUp+kL026pihgIs+7YwcEjV2</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.google.com/o/saml2/idp?idpid=C03vzt6hn"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://accounts.google.com/o/saml2/idp?idpid=C03vzt6hn"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Easy step by step instructions using the AWS Console

  1. Log in to your AWS account.
  2. In the AWS Console search for Cloudformation.
  1. Click on CloudFormation.
  2. Click Create Stack and With new resources (standard).
  1. Click Choose an Existing Template, Upload a template file and then upload the main.yaml file you find here: GitHub – New-Math-Data/Bootstrap: Creates an identity provider in a customer account.
  1. Click Next and type nmd-developer-access-saml in the Stack Name box.
  2. Type your company name in the the custNameAbbreviation box.
  1. Paste the entire contents of GoogleIDPMetadata.xml into the samlMetaData box and click Next.
  2. Under Capabililties, check the box to acknowledge that AWS CloudFormation might create IAM resources with custom names, and then click Next.
  1. Scroll all the way down and click submit.

At the end of the process you will receive two values. Click on the Outputs tab to see them:

  • NewMathDataSsoRole
  • NewMathDataIdentityProvider

Please provide those values to us. If you have any questions please let us know and we will be happy to help.