KSI-CNA-DFP—Defining Functionality and Privileges
Formerly KSI-CNA-04
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express data flows through interactive architecture diagrams — a 4-stage digital data lifecycle (Ingress, Processing, Storage, Egress) with encryption status at each stage, specific data elements tracked per flow, and processing location metadata. Data flow documentation is derived from IaC and service mesh configurations rather than manually drawn diagrams.
Data Flow and Processing Architecture
Architecture expressing how customer data flows through the system — including processing locations, encryption status per stage, and data element tracking
Data Residency Information
Where customer data is stored and processed — data residency options and geographic constraints as a product feature
Data Processing Agreement
DPA covering data handling, processing purposes, and retention
>Programmatic Queries
CLI Commands
aws iam list-policies --scope Local --query "Policies[].{Name:PolicyName,Arn:Arn,Updated:UpdateDate}" --output tableaws iam get-policy-version --policy-arn <policy-arn> --version-id v1 --query "PolicyVersion.Document" --output json>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Are functionality and privileges strictly defined for all infrastructure and service types — compute instances, containers, serverless functions, managed services, and network components?
- •What resources still have broad or default privileges that have not been scoped down, and how are those exceptions tracked?
- •How do you ensure that service accounts, IAM roles, and machine identities associated with infrastructure also follow strictly defined privilege boundaries?
- •When new infrastructure types or cloud services are adopted, what process ensures their functionality and privileges are defined before deployment?
Automation & Validation:
- •What automated policy checks (OPA, Sentinel, AWS Config Rules) enforce that deployed resources do not exceed their defined functionality and privilege boundaries?
- •How do you detect if a resource acquires privileges or functionality beyond its definition at runtime — for example, through role assumption or dynamic policy changes?
- •What happens when a policy violation is detected — is the resource automatically reverted, quarantined, or only flagged?
- •How do you test that privilege boundaries actually restrict access as intended, rather than just being defined on paper?
Inventory & Integration:
- •How do you maintain a mapping between each infrastructure resource and its defined functionality and privilege scope?
- •What tools enforce privilege definitions at deployment time (IaC policy scanners, admission controllers) versus at runtime (CSPM, CWPP)?
- •How do privilege definitions for infrastructure integrate with your IAM system to prevent privilege escalation paths?
- •Are privilege definitions stored as code alongside infrastructure definitions, or maintained in a separate system?
Continuous Evidence & Schedules:
- •How do you continuously demonstrate that deployed resources operate within their defined functionality and privilege boundaries?
- •What evidence shows privilege definitions are reviewed and tightened over time rather than remaining static?
- •Is resource privilege compliance data available via API or dashboard for ongoing monitoring?
- •How do you detect privilege drift — resources gradually acquiring more permissions than originally defined — between review cycles?
Update History
Ask AI
Configure your API key to use AI features.