Cloud Playgroundchevron_right Cloud Sandboxeschevron_right

What can I do with the AWS Sandbox?

About the AWS Sandbox

The AWS Sandbox is meant to provide an open environment for you to come up with and work through your training scenarios. It is an unguided experience where you determine what services, tools, and resources you'd like more practice with! We allow a variety of tools and services within AWS, so you have as many choices as possible when working through your training. We are expanding support for new services monthly!

Allowed Services

  • Amazon Certificate Manager (ACM) - excluding Private Cert Authority
  • Analytics: CloudSearch
  • API Gateway v1
  • API Gateway V2
  • Application Autoscaling
  • Application Discovery Service
  • Athena
  • Auto Scaling
  • Batch
  • Cloud Directory
  • Cloud9
  • CloudFormation
  • CloudFront
  • CloudTrail
  • CloudWatch
  • CodeBuild
  • CodeCommit
  • CodeDeploy
  • CodeGuru
  • CodePipeline
  • CodeStar
  • Cognito-Identity
  • Cognito-Idp
  • Cognito-Sync
  • Comprehend
  • Config
  • DataPipeline
  • Database Migration Service
  • DS
  • DynamoDB
  • DynamoDB Accelerator (DAX)
  • EC2 Container Registry (ECR)
  • EC2 Container Service (ECS)
  • Elastic Beanstalk
  • Elastic Compute Cloud (EC2)
  • Elastic Container Service for Kubernetes (EKS)
  • Elastic File System (EFS)
  • Elastic Load Balancing (ELB)
  • Elastic MapReduce (EMR)
  • Elastic Transcoder
  • ElastiCache
  • Events
  • Firehose
  • Elasticsearch Service
  • Glue
  • Greengrass
  • GuardDuty
  • Health APIs and Notifications
  • Identity and Access Management (IAM)
  • Inspector
  • IoT
  • IoT Analytics
  • IoT OneClick (Projects only)
  • Kafka
  • Key Management Service (KMS)
  • Kinesis
  • Kinesis Analytics
  • Kinesis Video Streams
  • Lambda
  • Lex
  • Migration Hub
  • OpsWorks
  • OpsWorksCM
  • Performance Insights
  • Polly
  • Redshift
  • Rekognition
  • Relational Database Service (RDS)
  • Resource Groups
  • Resource Groups Tagging API
  • Route 53
  • Route 53 Resolver
  • Secrets Manager
  • Security Hub
  • Security Token Service (STS)
  • Server Migration Service
  • Simple Email Service (SES)
  • Simple Notification Service (SNS)
  • Simple Queue Service (SQS)
  • Simple Storage Service (S3)
  • Simple Systems Manager (SSM)
  • States (Step Functions)
  • Textract
  • Transcribe
  • Translate
  • Web Application Firewall (WAF) v1 ONLY
  • Web Application Firewall (WAF) Regional v1 ONLY
  • X-Ray

AWS Sandbox Limits

We try to minimize the limitations of our Sandboxes to provide the most comprehensive training opportunity possible. Unfortunately, there are some limits to what we can provide. Refer to the list below for specific limits we enforce on our AWS Sandbox.

NOTE: This list covers the specific limits to allowed services, but is NOT a comprehensive list of denied services. Any Service not explicitly allowed above will be denied.

All Services

  • No Purchasing or Billing permissions
  • Cannot modify Account settings
  • limited to us-east-1 or us-west-2

EC2 Limits

  • ONLY these Instance Types are allowed:
    • t2.micro to t2.medium
    • t3.micro to t3.medium
  • Max Volume Size of 50GB
  • Max Volume IOPS of 150
  • NO Elastic GPU

EMR Limits

  • Can ONLY use m4.large instance type

IAM Limits

  • Cannot modify cloud_user or the admin role.
  • Cannot use or set up SSO
  • Additional checks enforced via Abuse Checks (see below)

RDS Limits

  • ONLY these Instance Types are allowed:
    • db.t2.micro to db.t2.medium
    • db.t3.micro to db.t3.medium
  • Cannot use Provisioned IOPS
  • Max Storage size of 50GB


  • ONLY dc2.large Instance Types
  • Max Cluster Node count of 3

Abuse Detection

In addition to the specific limits listed above, we also have an abuse detection setup for our labs. We do not divulge the specifics of how or what we look for with this process to prevent exploitation. The purpose of the abuse detection is to ensure compliance with our Terms of Service. Any detection of abusive use can result in immediate termination of the running lab, loss of access to labs or other resources, or more severe consequences up to and including permanent account closure.

A few examples of abuse are listed below. This list is NOT comprehensive. If you have questions on whether your activity may be detected as abuse, please contact our support team BEFORE starting the activity or action.

  • Incorrect instance type
  • Ten or more instances created at a time
  • Ten or more vCPU across all instances
  • Attempting to use resources for Bitcoin mining
  • Excessive network traffic
  • DDoS or port scanning external hosts
  • Keep ECS tasks to a minimum (5 max)