Skip to main content

Hub Account Resources

Last Updated: 2026-03-02 Source: innovation-sandbox-on-aws CDK stacks + AWS resource discovery Captured SHA: cf75b87

Executive Summary

The Innovation Sandbox Hub account (568672915267, InnovationSandboxHub) hosts the ISB control plane and all CDDO satellite services. It contains four ISB CloudFormation stacks (AccountPool, IDC, Data, Compute) plus CDK stacks for the deployer, approver, billing separator, and costs services. The account also hosts Landing Zone Accelerator infrastructure stacks, the NDX website static assets, and the scenarios screenshot pipeline. Sandbox operations are deployed across us-east-1 and us-west-2 regions.

Account Details

PropertyValue
Account ID568672915267
Account NameInnovationSandboxHub
Emailndx-try-provider+gds-ndx-try-aws-isb-hub@dsit.gov.uk
OUWorkloads / Prod (ou-2laj-bje756n2)
Regionsus-east-1, us-west-2

ISB Core Stacks

The upstream ISB solution deploys four CloudFormation stacks. In the NDX deployment these use the namespace ndx:

StackDeployed ToPurpose
InnovationSandbox-AccountPoolOrg Management (955063685555)OU creation, SCP lifecycle, account registration
InnovationSandbox-IDCOrg Management (955063685555)IAM Identity Center groups, SSO application, permission sets
InnovationSandbox-DataHub (568672915267)DynamoDB tables, AppConfig configuration
InnovationSandbox-ComputeHub (568672915267)Lambda functions, API Gateway, EventBridge, Step Functions, CloudFront

Compute Stack Resources

The Compute stack (ndx-try-isb-compute) is the largest stack and contains the core ISB business logic:

Lambda Functions (ISB Core)

FunctionRuntimePurpose
Accounts LambdaNode.js 22Account registration, status queries, OU management
Leases LambdaNode.js 22Lease CRUD, approval/termination workflow
Lease Templates LambdaNode.js 22Template management (PUBLIC/PRIVATE visibility)
Lease MonitoringNode.js 22Periodic budget/duration threshold checks
Authorizer LambdaNode.js 22JWT-based API Gateway authorization
Configurations LambdaNode.js 22AppConfig read/write (global, nuke, reporting)
Cost Reporting LambdaNode.js 22Individual lease cost tracking
Group Cost Reporting LambdaNode.js 22Departmental cost aggregation
Email Notification LambdaNode.js 22SES email dispatch for lease events
SSO Handler LambdaNode.js 22IAM Identity Center user/group operations
Account Cleaner InitializeNode.js 22Step Functions cleanup orchestration
Account Drift MonitoringNode.js 22Detect configuration drift in pool accounts
Log Archiving LambdaNode.js 22Move CloudWatch logs to S3 archive
JWT Secret RotatorNode.js 22Periodic JWT signing key rotation
Deployment UUID LambdaNode.js 22Solution tracking identifier
Anonymized MetricsNode.js 22AWS telemetry reporting

Data Layer (Data Stack)

ResourceName PatternPurpose
DynamoDB Table{namespace}-isb-sandboxAccountsAccount status and metadata
DynamoDB Table{namespace}-isb-leasesLease records with TTL
DynamoDB Table{namespace}-isb-leaseTemplatesTemplate definitions
AppConfig Application{namespace}-isb-configHosted configuration
AppConfig ProfileGlobal ConfigLease limits, cleanup params, auth settings
AppConfig ProfileNuke Configaws-nuke protected resource filters
AppConfig ProfileReporting ConfigCost group definitions

CDDO Satellite Stacks

In addition to the core ISB stacks, the hub account hosts CDDO's custom satellite services:

StackPurposeEventBridge Trigger
isb-deployer-devCloudFormation deployment to sandbox accountsLeaseApproved (archived)
Approver infrastructureScore-based lease approvalLeaseRequested
Billing Separator (hub)72-hour quarantine enforcementCloudTrail events
Costs infrastructureLease cost collectionLeaseTerminated

S3 Buckets

Bucket Name PatternPurposeRegion
approver-domain-list-568672915267UK gov domain allowlist for approverus-east-1
dev-isb-deployer-artifactsCDK/CFN templates for deployerus-east-1
isb-deployer-artifacts-568672915267Deployment artifactsus-east-1
isb-lease-costs-568672915267-us-west-2Lease cost CSV reports (3yr retention)us-west-2
ndx-static-prodNDX website static assetsus-east-1
ndx-try-isb-compute-*-frontend-*ISB web UI assetsus-east-1
ndx-try-isb-compute-*-accesslogs-*CloudFront access logsus-east-1
ndx-try-isb-compute-*-groupcostreporting-*Group cost reportsus-east-1
ndx-try-isb-compute-*-logarchiving-*ISB log archiveus-east-1
ndx-try-screenshots-us-east-1Scenario screenshot pipelineus-east-1
aws-accelerator-s3-access-logs-*LZA access logsus-east-1
cdk-hnb659fds-assets-*CDK bootstrap assetsus-east-1, us-west-2

EventBridge Rules

RuleStateTrigger
isb-deployer-lease-approved-devENABLEDLeaseApproved events
LZA CloudWatch log subscription rulesENABLEDNew log group creation
Security Hub event logging rulesENABLEDSecurity Hub findings
Control Tower managed rulesENABLEDConfig compliance changes

LZA Infrastructure Stacks

The hub account also contains 15+ Landing Zone Accelerator stacks managing baseline infrastructure:

Stack PatternPurpose
AWSAccelerator-NetworkVpcStack-*VPC networking
AWSAccelerator-SecurityStack-*GuardDuty, SecurityHub, Macie setup
AWSAccelerator-LoggingStack-*CloudWatch log subscriptions
AWSAccelerator-OperationsStack-*SSM parameter operations
AWSAccelerator-CustomizationsStack-*Custom configurations
AWSAccelerator-KeyStack-*KMS key management
AWSAccelerator-DependenciesStack-*Cross-stack dependencies
AWSAccelerator-CDKToolkitCDK bootstrap

Resource Naming Conventions

PatternExampleOwner
ndx-try-isb-compute-*ndx-try-isb-compute-LeasesLambda*ISB Core
isb-deployer-*isb-deployer-devCDDO Deployer
dev-isb-*dev-isb-leasesISB Dev environment
AWSAccelerator-*AWSAccelerator-LoggingStack-*LZA
StackSet-AWSControlTower*StackSet-AWSControlTowerBP-*Control Tower
aws-controltower-*aws-controltower-NotificationForwarderControl Tower
cdk-hnb659fds-*cdk-hnb659fds-assets-568672915267-*CDK Bootstrap

Generated from CDK source analysis and AWS resource discovery on 2026-03-02. See 00-repo-inventory.md for full inventory.