Trust Center¶
Note
Snowflake reader accounts are not supported.
You can use the Trust Center to evaluate and monitor your account for security risks. The Trust Center evaluates your account against recommendations specified in scanners according to a schedule, but you can change how frequently scanners run. If your account violates any of the recommendations in any of the enabled scanners, then the Trust Center provides a list of security risks, and information about how to mitigate those risks.
Common use cases¶
Required privileges¶
A user with the ACCOUNTADMIN role must grant your role the
SNOWFLAKE.TRUST_CENTER_VIEWER
or SNOWFLAKE.TRUST_CENTER_ADMIN
application role,
depending on which Trust Center tab you want to access.
See the following table for information about which application roles you need for accessing specific tabs in the Trust Center:
Trust Center tab |
Required application roles |
---|---|
Findings |
|
Scanner Packages |
|
For example, to create and grant a separate role for accessing the Findings tab, and a separate role for accessing the Scanner Packages tab, you can run the following commands using the ACCOUNTADMIN role:
USE ROLE ACCOUNTADMIN;
CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;
CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;
GRANT ROLE trust_center_admin_role TO USER example_admin_user;
GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;
Using private connectivity¶
The Trust Center supports private connectivity. For more information, see Using private connectivity.
Findings¶
The Trust Center provides a Findings tab that provides the following information:
A graph of scanner violations over time, color coded by low, medium, high, and critical severity.
An interactive list of recommendations for each violation found. Each recommendation contains details about the violation, when the scanner was last run, and how to remediate the violation.
Findings let you identify Snowflake configurations in the account that violate the requirements of enabled scanner packages. For each violation, the Trust Center provides an explanation of how to remediate the violation. After you remediate a violation, the violation still appears in the Findings tab until the next scheduled run of the scanner package containing the scanner that reported the violation begins, or until you run the scanner package manually.
You need specific a application role to access the Findings tab. For more information, see Required privileges.
Scanners¶
A scanner is a scheduled background process that checks your account for security risks based on how you configured your account. Scanners are grouped together into scanner packages. Scanners contain information about what security risks they check for in your account, and the scanner package that contains them.
Scanner packages contain a description and a list of scanners that run when you enable the scanner package. After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule.
By default, scanner packages are deactivated, except for the Security Essentials scanner package.
Scanner packages run according to a schedule. You cannot change the schedule of the Security Essentials scanner package scanner package, but you can change the schedule of the following scanner packages:
You must first enable a scanner package before you can change its schedule.
You need specific application role(s) to access the Scanner Packages tab. For more information, see the table in requirements.
The following scanner packages are available:
Security Essentials scanner package¶
The Security Essentials scanner package is a free scanner package that does not incur cost. This scanner package scans your account to check for account configurations recommended by Snowflake, and checks that multi-factor authentication (MFA) is turned on for all users that use password authentication.
This scanner only scans users with their TYPE property set to PERSON or NULL.
This scanner package runs every two weeks, and you cannot change the schedule.
By default, this scanner package is enabled and cannot be deactivated.
The Security Essentials scanner package does not incur serverless compute cost.
CIS Benchmarks scanner package¶
You can access additional security insights by enabling the CIS Benchmarks scanner package, which contains scanners that evaluate your account against the Center for Internet Security (CIS) Snowflake Benchmarks. The CIS Snowflake Benchmarks are a list of best practices for Snowflake account configurations meant to reduce security vulnerabilities. The CIS Snowflake Benchmarks were created through community collaboration and consensus among subject matter experts.
To obtain a copy of the CIS Snowflake Benchmarks document, see the CIS Snowflake Benchmark website.
The recommendations found in the CIS Snowflake Benchmarks are numbered by section and recommendation. For example, the first recommendation
of the first section is numbered 1.1
. In the Findings tab, the Trust Center provides section numbers for each
violation if you want to reference the Snowflake CIS Benchmarks.
This scanner package runs once a day by default, and you can change the schedule.
For information about enabling scanner packages, the cost that can occur from enabled scanners, and how to change the schedule of a scanner package, see the following references:
Note
For specific Snowflake CIS benchmarks, Snowflake only determines whether you have implemented a specific security measure, but does not evaluate whether the security measure was implemented in a way that achieves its objective. For these benchmarks, the absence of a violation does not guarantee that the security measure is implemented in an effective manner. The following benchmarks either do not evaluate whether your security implementations were implemented in a way that achieve their goal, or the Trust Center does not perform checks for them:
All of section 2: Monitoring and Alerting
3.1: Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses. Trust Center displays a violation if you do not have an account-level network policy, but does not evaluate whether the appropriate IP addresses have been allowed or blocked.
4.3: Ensure that the DATA_RETENTION_TIME_IN_DAYS parameter is set to 90 for critical data. Trust Center displays a violation if the DATA_RETENTION_TIME_IN_DAYS parameter associated with Time Travel is not set to 90 days for the account or at least one object, but does not evaluate which data is considered critical.
4.10: Ensure that data masking is enabled for sensitive data. Trust Center displays a violation if the account does not have at least one masking policy, but does not evaluate whether sensitive data is protected appropriately. The Trust Center does not evaluate whether a masking policy is assigned to at least one table or view.
4.11: Ensure that row-access policies are configured for sensitive data. Trust Center displays a violation if the account does not have at least one row access policy, but does not evaluate whether sensitive data is protected. The Trust Center does not evaluate whether a row access policy is assigned to at least one table or view.
Threat Intelligence scanner package¶
You can access additional security insights by enabling the Threat Intelligence scanner package, which lets you discover risky users based on user TYPE or ADMIN_USER_TYPE, authentication methods, authentication policies, and network policies used. This scanner package provides a risk severity for each risky user, to help you prioritize which users to address first.
This scanner package scans all types of users, and categorizes them as risky or not risky, depending on their type and conditions.
Any type of user is considered risky if all of the following criteria are true:
They use a password or an RSA public key to authenticate.
They are not enforced to use MFA by an authentication policy.
They are not restricted by a network policy.
Each risky user has a severity, based on their TYPE and whether or not a restrictive network policy is used.
See the table below for a list user types, and what severity levels are reported under what conditions:
Condition |
Risk severity |
|
---|---|---|
PERSON or NULL |
They do not have an authentication policy that enforces MFA, and do not have a network policy restricting them. |
CRITICAL |
They do not have an authentication policy that enforces MFA, but have a network policy restricting them. |
HIGH |
|
SERVICE or LEGACY_SERVICE |
They do not have an authentication policy that enforces MFA, and do not have a network policy restricting them. |
CRITICAL |
They do not have an authentication policy that enforces MFA, but have a network policy restricting them. |
MEDIUM |
This scanner package runs once a day by default, and you can change the schedule.
For information about enabling scanner packages, the cost that can occur from enabled scanners, and how to change the schedule of a scanner package, see the following references: