AWS Security

Service Control Policy you own this product

This project is part of the liveProject series AWS Security: Compliance and Observability
basic CloudFormation • intermediate Python • intermediate knowledge of AWS accounts/Organizations
skills learned
organizations service control policies • AWS CodeBuild • AWS CodeCommit • pytest • CloudWatchEvents • Boto
Eric Kascic
1 week · 6-8 hours per week · INTERMEDIATE
filed under

placing your order...

Don't refresh or navigate away from the page.
liveProject This project is part of the liveProject series AWS Security: Compliance and Observability liveProjects give you the opportunity to learn new skills by completing real-world challenges in your local development environment. Solve practical problems, write working code, and analyze real data—with liveProject, you learn by doing. These self-paced projects also come with full liveBook access to select books for 90 days plus permanent access to other select Manning products. $19.99 $29.99 you save $10 (33%)
Service Control Policy (liveProject) added to cart
continue shopping
adding to cart

choose your plan


only $41.67 per month
  • five seats for your team
  • access to all Manning books, MEAPs, liveVideos, liveProjects, and audiobooks!
  • choose another free eBook every time you renew
  • choose twelve free eBooks per year
  • exclusive 50% discount on all purchases
  • Service Control Policy eBook for free
Look inside

QryptoTremolo, a startup that’s been developing a set of next-generation financial services, has already taken steps to provide visibility into its AWS accounts and set up AWS GuardDuty to detect intruders. But managers of the development teams have administrator access to these accounts, and despite being a dangerous anti-pattern, that’s not going to change anytime soon. Your task is to automate the configuration of organizational service control policies that restrict access of local administrators (and intruders) to any AWS Config and EventBridge resources located in the AWS accounts. You’ll write code to query the IAM (Identity and Access Management) policy simulator in order to gauge API calls’ ability to tamper with resources. You’ll also develop end-to-end tests that prove whether an SCP change will behave as expected, and build a pipeline to codify the change control process for the SCP.

This project is designed for learning purposes and is not a complete, production-ready application or solution.

book resources

When you start your liveProject, you get full access to the following books for 90 days.

project author

Eric Kascic

Eric Kascic is a software developer with 25 years of professional experience. He has developed software solutions across a variety of business domains including telecommunications, medical imagery, and financial services. He has developed embedded, desktop, and server-side software, and has specialized in creating build, deployment, and test automation systems.

Since 2013, he has primarily focused on the AWS platform. At Stelligent, a boutique consulting firm that traditionally specialized in CI/CD, DevOps, and AWS automation, he developed CI/CD solutions for the AWS platforms of financial services companies. In developing infrastructure-as-code solutions, security was a primary focus. Eric invented the cfn_nag tool in 2016 to perform static analysis on CloudFormation templates to help customers prevent deploying unsecured AWS resources (such as those missing encryption or with overly permissive access).

He is currently a principal security engineer at a financial services company where he develops software to support security processes including automation of AWS IAM role creation, as well as a platform to detect and remediate insecure AWS resources across hundreds of accounts. Eric has published several articles relevant to security automation in AWS, including articles about cfn_nag, IAM, CloudFormation, and CI/CD.


This liveProject is for security engineers with intermediate experience in AWS and infrastructure as code. To begin these liveProjects you’ll need to be familiar with the following:

  • Python 3.7
  • AWS CLI 1.18
  • Bash 3
  • Boto3 1.18
  • pytest 6.2.0
  • Git 2.24
  • Basic knowledge of *nix/bash command shell
  • Basic experience with CloudFormation
  • Basic experience with the AWS CLI
  • Intermediate knowledge of AWS accounts and AWS Organizations
  • Intermediate knowledge of Python 3 programming including: lists, dicts, loops, comprehensions, functions, conditionals
  • Basic knowledge of IAM and assuming cross-account IAM roles
  • Basic understanding of cloud computing and the AWS platform
  • Basic understanding of infrastructure as code
  • Basic understanding of security concepts

Note: These exercises rely upon the AWS platform, which may carry usage costs.

you will learn

In this liveProject, you’ll learn to implement service control policies that restrict access to resources and prevent tampering.

  • Use Boto to deploy and test organizations service control policies
  • Fit the deployment and test execution into CodeBuild pipelines


You choose the schedule and decide how much time to invest as you build your project.
Project roadmap
Each project is divided into several achievable steps.
Get Help
While within the liveProject platform, get help from other participants and our expert mentors.
Compare with others
For each step, compare your deliverable to the solutions by the author and other participants.
book resources
Get full access to select books for 90 days. Permanent access to excerpts from Manning products are also included, as well as references to other resources.