Using the Trust Center

This topic describes how to monitor Trust Center costs, and manage scanners, findings, and security risks by using the Trust Center Snowsight interface.

Monitoring cost

The Trust Center incurs serverless compute cost when it scans your Snowflake environment for security vulnerabilities.

You can use cost-related views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas to track the costs associated with the Trust Center. When querying these views, filter on the service_type column to find TRUST_CENTER values.

View

Schema

service_type

Roles with required privileges

METERING_HISTORY

ACCOUNT_USAGE

TRUST_CENTER

  • ACCOUNTADMIN role

  • USAGE_VIEWER database role

METERING_DAILY_HISTORY

ACCOUNT_USAGE

TRUST_CENTER

  • ACCOUNTADMIN role

  • USAGE_VIEWER database role

METERING_DAILY_HISTORY

ORGANIZATION_USAGE

TRUST_CENTER

  • ORGADMIN role

  • ORGANIZATION_USAGE_VIEWER database role

USAGE_IN_CURRENCY_DAILY

ORGANIZATION_USAGE

TRUST_CENTER

  • ORGADMIN role

  • ORGANIZATION_BILLING_VIEWER database role

Example: View the total cost that the Trust Center incurred between December 1, 2024 and December 31, 2024.

SELECT
   SUM(credits_used) AS total_credits
FROM snowflake.account_usage.metering_history
WHERE
   service_type = 'TRUST_CENTER' AND
   start_time >= '2024-12-01' AND
   end_time <= '2024-12-31';

Example: View the daily cost that the Trust Center incurred after December 1, 2024.

SELECT
   usage_date AS date,
   credits_used AS credits
FROM snowflake.account_usage.metering_daily_history
WHERE
   service_type = 'TRUST_CENTER' AND
   date > '2024-12-01';

For information about how many credits are charged per Compute-Hour for the operation of the Trust Center, see Table 5 in the Snowflake Service Consumption Table.

Use the Trust Center Snowsight interface

This preview introduces several changes to the Trust Center. The Trust Center Snowsight interface now has the following tabs:

  • Overview - Displays a high-level summary of Trust Center findings for your account. Select the View option in each section of Overview to see more detailed information about a specific aspect of your account’s security posture.

  • Violations - This tab was previously named the Findings tab. It shows violations, suggests remediation actions for them, and provides detailed information about them. For information about using this tab, go to the Violations tab, and then follow the instructions in Manage the violation findings lifecycle and Manage security risks.

  • Detections - This tab shows the detections found by the scanners and provides information about them. For information about using this tab, see View Trust Center detection findings.

  • Manage scanners - Now contains the Scanner packages tab. You can use it to view and manage scanner packages and individual scanners. The event-driven scanners added in this preview show Event driven in the SCHEDULE column. For information about using this tab, go to the Manage scanners tab, and then follow the instructions in Manage scanner packages and Managing scanners.

  • Manage scanners - Now contains the Extensions tab. You can create Trust Center extensions by using the Snowflake Native App Framework. For more information, see, Using Trust Center extensions.

Manage scanner packages

You can complete the following tasks to manage scanner packages in the Trust Center:

View the list of scanners in a package

To view the list of scanners provided in a scanner package, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Manage scanners tab.

  5. From the list, select a scanner package.

Enable scanner packages

To enable a scanner package, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Manage scanners tab.

  5. Select a scanner package from the list.

  6. Select Enable Package.

After you enable a scanner package, you can enable or disable individual scanners in the scanner package.

View available scanner packages

To view available scanner packages, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Manage scanners tab.

  5. Optionally, select Provider, Status, or Search to filter the list of scanner packages available.

Change the schedule for a scanner package

You can change the schedule for all scanner packages, except the Security Essentials scanner package.

Tip

After a scanner package is enabled, you can change the schedule for individual scanners in the scanner package.

To change the schedule for a scanner package, follow these steps:

  1. Ensure you’ve enabled the CIS Benchmarks scanner package.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  4. In the navigation menu, select Governance & security » Trust Center.

  5. Select the Manage scanners tab.

  6. Select a scanner package from the list.

  7. Select the Settings tab.

  8. Under Scanner Package Schedule, select trust-center-edit-image Edit.

  9. Set your desired Frequency.

  10. Select Continue.

Run a scanner package on demand

To run a scanner package on demand, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Manage scanners tab.

  5. Select a scanner package from the list.

  6. Next to Search, select trust-center-start-image Run Package.

Managing scanners

You can complete the following tasks to manage scanners in the Trust Center:

View details for a scanner

To view details that describe what each scanner does, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Manage scanners tab.

  5. Select a scanner package from the list.

  6. Select a scanner from the list of scanner names.

Enable or disable a scanner in a scanner package

Attention

Scanners provide valuable information about possible security risks at a minimal cost. Before disabling a scanner, we recommend evaluating the value of the information provided by the scanner in relation to the cost associated with running it. For more information about evaluating the cost associated with a scanner, see Monitoring cost.

If a scanner package is disabled, all of the scanners in the package are disabled, including scanners that were enabled individually.

To enable or disable a scanner in a scanner package, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Manage scanners tab.

  5. Select a scanner package from the list.

  6. In the scanner STATE, enable or disable the scanner.

  7. In the confirmation box, select Confirm.

Change the schedule for a scanner

You can change the schedule for schedule-based scanners. You can’t change the schedule for event-based scanners. You can only enable or disable an event-driven scanner.

Note

When a custom schedule is set for an individual scanner, that setting is used instead of its scanner package schedule, even if the scanner package schedule is changed.

To change the schedule for a scanner, follow these steps:

  1. Ensure that you enabled the scanner.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  4. In the navigation menu, select Governance & security » Trust Center.

  5. Select the Manage scanners tab.

  6. Select a scanner package from the list.

  7. Select trust-center-vertical-more-image More for the scanner, and then select Edit schedule.

  8. Set your desired Frequency.

  9. Select Save.

Reset the schedule for a scanner to the scanner package schedule

To change the schedule for a scanner to match its scanner package schedule, follow these steps:

  1. Ensure that you enabled the scanner.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  4. In the navigation menu, select Governance & security » Trust Center.

  5. Select the Manage scanners tab.

  6. Select a scanner package from the list.

  7. Select trust-center-vertical-more-image More for the scanner, and then select Edit schedule.

  8. Select Reset, and then select Reset to scanner package schedule.

  9. Select Save.

Run a scanner on demand

To run a scanner on demand, follow these steps:

  1. Ensure that you enabled the scanner.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  4. In the navigation menu, select Governance & security » Trust Center.

  5. Select the Manage scanners tab.

  6. Select a scanner package from the list.

  7. Select trust-center-vertical-more-image More for the scanner, and then select Run scanner.

Manage the violation findings lifecycle

Specific application roles allow you to view and manage violation findings by using the Violations tab. For more information, see Required roles.

View violations

To view and filter your violations data to see your current progress, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Violations tab.

  5. To view the list of open, muted, or all violations, select an option from the Status drop-down menu.

  6. To see a detailed pane with the violation’s summary, recommendations, and activity, select any violation.

  7. In the violation bar, select Activity to see the comments history and the responsible users.

  8. To see the scanner’s last run and when the violation was generated, select Scanned.

  9. To see when the violation status was last changed, select Updated.

Change the status of a violation finding

Attention

Marking a violation as Muted is a way to triage the open violation so you can focus on the ones most important for your environment. Muting a violation also ceases the periodic email notifications for that violation. Scanners still run as scheduled irrespective of the violation status: Open or Muted. The scanner continues to run and detect violations if the configuration remains unchanged.

All new security violations are raised with an Open status. You can mute a violation for multiple reasons, such as not being applicable to your account, being deferred for a future date, being in progress already, or another reason.

You can change the status of a violation for any reason, such as not being applicable to your account, deferred for a future date, being in progress already, or another reason. To change the status of a violation, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Violations tab.

  5. Select a violation that opens its detailed pane. By default, only violations with the Open status are shown.

  6. Select the Mute notification button.

  7. (Optional) To justify the resolution, add a comment.

  8. Select Submit.

You can reopen a muted violation by selecting the Unmute button.

Note

Manually muting a violation finding isn’t mandatory for customers. The Trust Center automatically removes violation findings from the Violations tab when a scanner run determines that any misconfiguration was corrected or remediation steps were followed correctly.

Remediate violations with Cortex Code

Snowflake logo in black (no text) Preview Feature — Open

Available to all accounts.

You can use Cortex Code to get AI-guided remediation for Trust Center violations directly in Snowsight. When you select Begin Remediation for a finding, Cortex Code opens a chat that explains the violation in the context of your account, recommends remediation steps, and can execute remediation actions with your approval.

Cortex Code provides interactive, conversational remediation that is personalized to your account’s specific configuration. Unlike the static remediation instructions on the Remediation tab, Cortex Code can tailor its guidance based on the entities and configurations involved in the violation, answer follow-up questions, and generate SQL statements that you can review and run.

Prerequisites

To use Cortex Code for violation remediation, the following conditions must be met:

  • Cortex Code in Snowsight must be available for your account.

  • Your role must have the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it. For more information about granting this role, see Required roles.

  • Your role must have the SNOWFLAKE.CORTEX_USER database role granted to it.

Remediate a violation with Cortex Code

To remediate a violation by using Cortex Code, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Violations tab.

  5. Select a violation to open the findings detail panel, and select Begin Remediation, or select the Cortex icon in the list of violations.

    Cortex Code opens in a chat panel on the right side of the screen. The chat is pre-populated with the context of the selected violation, including the violation type, severity, affected entities, and scanner details.

  6. Review the explanation and remediation steps that Cortex Code provides. You can:

    • Ask follow-up questions to understand the violation in more detail.

    • Request alternative remediation approaches.

    • Ask Cortex Code to generate SQL statements for the remediation.

    • Review and run SQL statements directly from the chat.

  7. After you complete the remediation, wait for the next scheduled scanner run or run the scanner on demand to verify that the root cause of the violation has been remediated. The Trust Center automatically removes the violation from the Violations tab after the scanner confirms the remediation. A remediated finding may appear as an open finding in Snowsight for up to 3 hours after the violation is remediated at the scanner is re-run.

Note

AI-guided remediation is available for violations only. Detections represent unique events that occurred in the past and don’t have direct remediation steps. However, you can use Cortex Code to investigate and plan a course of action for detection findings as well.

Considerations

  • Cortex Code generates remediation suggestions based on your account’s configuration and the details of the specific violation. Always review the suggested SQL statements before running them.

  • Some violations require actions outside of Snowflake, such as coordinating an organization-wide MFA policy change or investigating whether a login from an unrecognized IP address is legitimate. In these cases, Cortex Code explains the required steps but cannot execute them on your behalf.

  • After completing a remediation, you can verify the fix by running the scanner on demand rather than waiting for the next scheduled run. For more information, see Run a scanner package on demand.

View Trust Center detection findings

Snowflake logo in black (no text) Preview Feature — Open

Available to all accounts.

The Detections tab displays information about the detection findings reported by the Trust Center and lets you examine them:

Note

Currently, you can’t manage the lifecycle — that is, mute or reopen — a detection finding. Detection findings aren’t currently aggregated into the Organization account.

View detections

To view detections, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role that has either the SNOWFLAKE.TRUST_CENTER_ADMIN application role or the SNOWFLAKE.TRUST_CENTER_VIEWER application role granted to it.

    For more information about granting these roles, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Detections tab.

    A chart displays information about detections in the specified time period. You can adjust filters to modify the detections displayed on the tab. See the next step for information about modifying filters.

    The detections bar displays information about each detection, such as the detection type, entity type, entity name, and additional information.

  5. To analyze the detections displayed on the tab, adjust the filters:

    • Detection Type - Clear the filter to show detections of any type, or select a type to show only detections of that type; for example, Abnormal Account Activities, Insecure Login, or Privilege Escalation.

    • Severity - Clear the filter to show detections of any severity, or select a severity to show only detections of that severity; for example, Critical, High, Medium, or Low.

    • Entity Type - Clear the filter to show detections for any entity type, or select an entity type to show only detections for that entity type; for example, QUERY, ROLE, or USER.

    • Reported By - Clear the filter to show detections reported by all scanners in the Security Essentials and Threat Intelligence scanner packages, or select a scanner package to only show detections reported by scanners in that scanner package.

    • Time Range - Clear the filter to show all detections that were reported at any time or select a time range to view detections reported in the selected time range.

  6. To see a detailed pane with the detection’s summary, remediation recommendations, and activity, select any detection.

    To open a worksheet with queries that you can run to get more information on the scanner output, on the Remediation tab, select Open a Worksheet.

Manage security risks

You can complete the following tasks to manage security risks in the Trust Center:

View security risks

To view security risks, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Violations tab.

  5. Select a recommendation from the list of violations to view details about the violation associated with the recommendation.

  6. Optionally, select Severity, Violations, or Search to filter the list of recommendations shown.

Remediate security risks

When viewing individual security risks, you can learn how to remediate the risks associated with the recommendations that display, allowing you to harden the security of your account.

To remediate security risks, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role that has the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Required roles.

  3. In the navigation menu, select Governance & security » Trust Center.

  4. Select the Violations tab.

  5. From the list of violations, select a recommendation.

  6. In the Remediation tab, follow the steps that are shown.