Home > Mechanisms > Sandbox



A sandbox is a testing environment that isolates untested or unknown code. Sandboxing protects operational systems and their data from unknown code that may have arrived on the network from unknown external sources. It can provide threat intelligence by analyzing code behavior, and can for example be used in conjunction with rogue executables captured in a honeypot or for testing an unknown VM image.

Figure 1 - An example of a sandbox being used to test an unknown VM instance.

Figure 1 is an example of sandboxing that isolates rogue VMs, preventing malicious or unapproved VMs from damaging or snooping on the rest of the compute resource, or escaping. Sandboxes restrict what a program can do, providing only the permission level it needs without adding additional permissions that could be abused. Another example is browser sandboxing of loaded Web pages. Web pages can run JavaScript code, but if the JavaScript code tries to access a local file on the compute resource, the request will fail because the code is being executed inside the sandbox.

Related Patterns: Cloud Certified Professional (CCP) Module 7: Fundamental Cloud Security Cloud Certified Professional (CCP) Module 8: Advanced Cloud Security

This mechanism is covered in CCP Module 7: Fundamental Cloud Security and
in Module 8: Advanced Cloud Security.

For more information regarding the Cloud Certified Professional (CCP) curriculum, visit

Cloud Computing Design Patterns

The architectural model upon which this design pattern is based is further covered in:

Cloud Computing Design Patterns by Thomas Erl, Robert Cope, Amin Naserpour

(ISBN: 9780133858563, Hardcover, ~ 528 pages)

For more information about this book, visit