Eric Kascic

Eric Kascic is a software developer with 25 years of professional experience. He has developed software solutions across a variety of business domains including telecommunications, medical imagery, and financial services. He has developed embedded, desktop, and server-side software, and has specialized in creating build, deployment, and test automation systems.

Since 2013, he has primarily focused on the AWS platform. At Stelligent, a boutique consulting firm that traditionally specialized in CI/CD, DevOps, and AWS automation, he developed CI/CD solutions for the AWS platforms of financial services companies. In developing infrastructure-as-code solutions, security was a primary focus. Eric invented the cfn_nag tool in 2016 to perform static analysis on CloudFormation templates to help customers prevent deploying unsecured AWS resources (such as those missing encryption or with overly permissive access).

He is currently a principal security engineer at a financial services company where he develops software to support security processes including automation of AWS IAM role creation, as well as a platform to detect and remediate insecure AWS resources across hundreds of accounts. Eric has published several articles relevant to security automation in AWS, including articles about cfn_nag, IAM, CloudFormation, and CI/CD.

projects by Eric Kascic

Service Control Policy

1 week · 6-8 hours per week · INTERMEDIATE

QryptoTremolo, a startup that’s been developing a set of next-generation financial services, has already taken steps to provide visibility into its AWS accounts and set up AWS GuardDuty to detect intruders. But managers of the development teams have administrator access to these accounts, and despite being a dangerous anti-pattern, that’s not going to change anytime soon. Your task is to automate the configuration of organizational service control policies that restrict access of local administrators (and intruders) to any AWS Config and EventBridge resources located in the AWS accounts. You’ll write code to query the IAM (Identity and Access Management) policy simulator in order to gauge API calls’ ability to tamper with resources. You’ll also develop end-to-end tests that prove whether an SCP change will behave as expected, and build a pipeline to codify the change control process for the SCP.

AWS Athena

1 week · 6-8 hours per week · INTERMEDIATE

QryptoTremolo, a startup that’s developing a set of next-generation financial services, has hired you to help upgrade its security. The company has set up an organizational AWS CloudTrail, which deposits all the events of QryptoTremolo’s AWS control plane, as well as some data plane, in an S3 bucket within the security account. But the events are stored in a form that doesn’t lend itself well to forensic queries. QryptoTremolo has chosen AWS Athena as a query-friendly solution. Your task is to configure AWS Athena to allow for sending advanced forensic queries to an S3 bucket filled with organizational CloudTrail events. You’ll learn how to create forensic SQL queries and issue them in a performant way across all accounts in the organization.

CI/CD and Change Control

1 week · 6-8 hours per week · INTERMEDIATE

You’ve been hired by QryptoTremolo, a startup that’s been developing a set of next-generation financial services, to lower the risk of security breaches. The company has chosen to develop and operate in AWS. Its development teams have had unrestricted access to the AWS accounts, and ad hoc development has evolved organically, increasing the risk for security breaches. To uplevel security in these accounts, you’ll deploy CloudFormation templates and develop a suite of automated pytest tests to verify their configuration. Next, you’ll build a CI/CD CodeBuild pipeline that triggers on infrastructure changes and deploys and tests the changes across the organization. This change control automation will enable you to respond quickly—and confidently—to changing business needs.

Custom Rule Development

1 week · 6-8 hours per week · INTERMEDIATE

Enter course descriptionA string of high-profile security breaches has been featured recently on the news, and QryptoTremolo doesn’t want to be the next headline. You’ve been hired by the startup, which is developing a set of next-generation financial services, to lower the risk of breaches and bring security controls to its AWS accounts. Leveraging pytest and Boto, you’ll develop and deploy a custom Config rule to look for peculiar misconfigurations or conditions that aren’t covered by AWS’s off-the-self managed rules.

AWS Config

1 week · 6-8 hours per week · INTERMEDIATE

You’ve been hired to bring security controls to QryptoTremolo’s AWS accounts. The startup, which develops next-generation financial services, chose to develop and operate in AWS. QryptoTremolo’s development teams have had unfettered access to the AWS accounts, and ad hoc development has evolved organically, increasing the risk for security breaches. It’s up to you to lower this risk so that the company doesn’t end up on the front-page news…for the wrong reasons. Using CloudFormation, stack sets, and the AWS CLI, you’ll set up AWS Config with rules to preemptively discover resources that aren’t configured according to security best practices.

AWS Security: Compliance and Observability

5 weeks · 6-8 hours per week average · INTERMEDIATE

QryptoTremolo is an up-and-coming startup that develops next-generation financial services. The company chose to develop and operate in AWS to take advantage of its pay-as-you-go model for infrastructure. QryptoTremolo’s development teams have had unrestricted access to the AWS accounts, and ad hoc development has evolved organically, increasing the risk for security breaches. You’ve been hired to lower this risk and bring security controls to these accounts so the company doesn’t end up on the front-page news… because there is such a thing as bad publicity.

In these liveProjects, you’ll learn to automate configuration of security controls for AWS accounts, focusing on compliance and forensics. You’ll set up AWS Config with rules, deploy custom Config rules, build a CI/CD CodeBuild pipeline to automate change control, create forensic SQL queries, and automate the configuration of organizational service control policies (SCP) to prevent resource tampering. When you’re done with these liveProjects, you’ll have gained important skills for bringing compliance and observability to AWS accounts, and the peace of mind that comes with knowing your AWS accounts are secure.

For more on AWS security, please see AWS Security: Audit and Intrusion Detection Automation.

AWS Security: Audit and Intrusion Detection Automation

5 weeks · 6-8 hours per week average · INTERMEDIATE

Making the front page news would be great for a company...if it’s for the right reasons. Qrypto Tremolo is an up-and-coming startup that develops next-generation financial services. As is typical with startups, its business management team has prioritized feature delivery over security. You’ve been hired by the startup to add security controls to its application developers’ accounts… and stop the company from making front page news for the wrong reasons.

Your goal is to provide security controls that improve observability of possible security events and avoid impacting the application developers. Since this task is solely your responsibility, you must maximize automation so that you can roll out changes quickly and reliably. To achieve your goals, you’ve chosen the following security services: AWS CloudTrail, Amazon GuardDuty, and the service control policy feature of AWS Organizations.

For more on AWS security, please see AWS Security: Compliance and Observability.

Organizations Service Control Policy

1 week · 6-8 hours per week · INTERMEDIATE

In this liveProject, you’ll leverage organizations service control policies to protect administrative and security resources in the accounts used by development teams where these teams have privileged access. Specifically, you will add automation to restrict access of local administrators (and intruders!) to any AWS CloudTrail and Amazon GuardDuty resources located in the accounts. Without these protections, the security controls we have put in place for audit, forensic analysis, and intrusion detection can be interfered with by the local administrators.

GuardDuty Test and CI/CD

1 week · 8 hours per week · INTERMEDIATE

In this liveProject, you’ll ensure that the security team can make incremental, verifiable changes to its Amazon GuardDuty intrusion detection configuration. You’ll develop a suite of automated tests and CI/CD AWS CodeBuild pipelines to deploy and test changes across the organization.

GuardDuty Intrusion Detection

1 week · 4-6 hours per week · INTERMEDIATE

In this liveProject, you’ll set up the intrusion detection service Amazon GuardDuty to help catch any hackers who may be trying to break in—or who already have and are up to no good! To achieve this goal, you’ll iteratively develop infrastructure as code in the form of AWS CloudFormation templates, then learn to address cross-account automation issues.

CloudTrail Test and CI/CD

1 week · 8 hours per week · INTERMEDIATE

In this liveProject, you’ll ensure that Qrypto Tremolo’s security team can make incremental, verifiable changes to its AWS CloudTrail configuration. To achieve this, you’ll develop a suite of automated tests and CI/CD CodeBuild pipelines to deploy and test changes across the organization.

CloudTrail Automation

1 week · 8 hours per week · INTERMEDIATE

In this liveProject, you’ll bring visibility to customer AWS accounts using AWS CloudTrail, a vital tool that provides insight into all API actions invoked in consumer accounts. To achieve your objective, you’ll iteratively develop infrastructure as code in the form of AWS CloudFormation templates, then learn to address cross-account automation issues.