Getting started with the Trust Center¶
You can use the Trust Center to check for common security risks in your Snowflake account, and get recommendations on how to remediate those risks.
Enable the CIS Benchmarks scanner package¶
Complete the following steps to enable the CIS Benchmarks scanner package:
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center
In the navigation menu, select Monitoring » Trust Center.
Select a warehouse.
Select Scanner Packages.
Select CIS Benchmarks.
Select Enable and then Continue.
After you enable the scanner package, you can enable or disable individual scanners in the scanner package. You can also change the schedule of individual scanners in the scanner package.
Enable the Threat Intelligence scanner package¶
Complete the following steps to enable the Threat Intelligence scanner package:
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center.
In the navigation menu, select Monitoring » Trust Center.
Select a warehouse.
Select Scanner Packages.
Select Threat Intelligence.
Select Enable and then Continue.
After you enable the scanner package, you can enable or disable individual scanners in the scanner package. You can also change the schedule of individual scanners in the scanner package.
Ensure multi-factor authentication (MFA) is enforced for all human users using password-based authentication¶
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center
In the navigation menu, select Monitoring » Trust Center.
Ensure you have enabled the CIS Benchmarks scanner package.
Select Findings.
Above the list of violations, select Search.
In the Search box, enter
multi-factor authentication
.Under the Violation column, select
Ensure multi-factor authentication (MFA) is turned on for all human users with password-based authentication
.A side panel opens.
In the side panel, select Remediation, and follow the guidance.
Find over-privileged roles¶
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center
In the navigation menu, select Monitoring » Trust Center.
Ensure you have enabled the CIS Benchmarks scanner package.
Select Findings.
Above the list of violations, select Search.
In the Search box, enter
snowflake tasks
.Under the Violation column, select
Ensure that Snowflake tasks do not run with the ACCOUNTADMIN or SECURITYADMIN role privileges
.A side panel opens.
In the side panel, select Remediation, and follow the guidance.
Ensure the amount of users with the ACCOUNTADMIN and SECURITYADMIN system roles is limited¶
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center
In the navigation menu, select Monitoring » Trust Center.
Ensure you have enabled the CIS Benchmarks scanner package.
Select Findings.
Above the list of violations, select Search.
In the Search box, enter
limit the number of users
.Under the Violation column, select
Limit the number of users with ACCOUNTADMIN and SECURITYADMIN
.A side panel opens.
In the side panel, select Remediation, and follow the guidance.
Find users who have not logged in for 90 days¶
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center
In the navigation menu, select Monitoring » Trust Center.
Ensure you have enabled the CIS Benchmarks scanner package.
Select Findings.
Above the list of violations, select Search.
In the Search box, enter
did not log in
.Under the Violation column, select
Ensure that users who did not log in for 90 days are disabled
.A side panel opens.
In the side panel, select Remediation, and follow the guidance.
Find risky users and mitigate authentication risks¶
Sign in to Snowsight.
Switch to a role with the requirements to access the Trust Center.
In the navigation menu, select Monitoring » Trust Center.
Ensure you have enabled the Threat Intelligence scanner package.
Select Findings.
Above the list of violations, select Search.
In the Search box, enter
Ensure that every user is subject to an authentication policy
.Under the Violation column, select
Ensure that every user is subject to an authentication policy that requires MFA enrollment
.A side panel opens.
In the side panel, select Remediation, and follow the guidance.
For more information, see the following resources: