Using the Trust Center¶

This topic describes how to use and navigate the Trust Center Snowsight interface.

Monitoring cost¶

The Trust Center incurs serverless compute cost when it scans your Snowflake environment for security vulnerabilities.

You can use cost-related views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas to track the costs associated with the Trust Center. When querying these views, filter on the service_type column to find TRUST_CENTER values.

View	Schema	`service_type`	Roles with required privileges
METERING_HISTORY	ACCOUNT_USAGE	TRUST_CENTER	ACCOUNTADMIN role USAGE_VIEWER database role
METERING_DAILY_HISTORY	ACCOUNT_USAGE	TRUST_CENTER	ACCOUNTADMIN role USAGE_VIEWER database role
METERING_DAILY_HISTORY	ORGANIZATION_USAGE	TRUST_CENTER	ORGADMIN role ORGANIZATION_USAGE_VIEWER database role
USAGE_IN_CURRENCY_DAILY	ORGANIZATION_USAGE	TRUST_CENTER	ORGADMIN role ORGANIZATION_BILLING_VIEWER database role

Example: View the total cost that the Trust Center incurred between December 1, 2024 and December 31, 2024.

SELECT
   SUM(credits_used) AS total_credits
FROM snowflake.account_usage.metering_history
WHERE
   service_type = 'TRUST_CENTER' AND
   start_time >= '2024-12-01' AND
   end_time <= '2024-12-31';

Copy

Example: View the daily cost that the Trust Center incurred after December 1, 2024.

SELECT
   usage_date AS date,
   credits_used AS credits
FROM snowflake.account_usage.metering_daily_history
WHERE
   service_type = 'TRUST_CENTER' AND
   date > '2024-12-01';

Copy

For information about how many credits are charged per Compute-Hour for the operation of the Trust Center, see Table 5 in the Snowflake Service Consumption Table.

Costs before December 1, 2024¶

Prior to December 1, 2024, serverless compute costs were not tracked with a service type in the cost-related views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas. If you want the historical cost of using the Trust Center before December 1, 2024, you need to query the SERVERLESS_TASK_HISTORY view instead. For example, to view the cost that the Trust Center incurred between May 20, 2024 and May 22, 2024, you can execute the following SQL statement:

SELECT SUM(CREDITS_USED)
  FROM snowflake.account_usage.serverless_task_history
  WHERE
    DATABASE_NAME = 'SNOWFLAKE' AND
    SCHEMA_NAME = 'TRUST_CENTER_STATE' AND
    START_TIME BETWEEN '2024-05-20 07:00:00.000 -0700' AND '2024-05-22 07:00:00.000 -0700';

Copy

Managing scanner packages¶

You can complete the following tasks to manage scanner packages in the Trust Center:

Enable scanner packages.
View available scanner packages.
Change the schedule of a scanner package.
Run a scanner package manually.

Enable scanner packages¶

To enable a scanner package, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select the Settings tab.
Select Enable.

After you enable a scanner package, you can enable or disable individual scanners in the scanner package.

View available scanner packages¶

To view available scanner packages, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Optionally, select Provider, Status, or Search to filter the list of scanner packages available.

Change the schedule of a scanner package¶

You can change the schedule of all scanner packages, except the Security Essentials scanner package.

Tip

After a scanner package is enabled, you can change the schedule of individual scanners in the scanner package.

To change the schedule of a scanner package, follow these steps:

Ensure you’ve enabled the CIS Benchmarks scanner package.
Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select the Settings tab.
Under Scanner Package Schedule, select Edit.
Set your desired Frequency.
Select Continue.

Run a scanner package manually¶

To run a scanner package manually, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
On the right side of Search, select Start.

Managing scanners¶

You can complete the following tasks to manage scanners in the Trust Center:

View descriptions of scanners in scanner packages.
Enable or disable a scanner in a scanner package.
Change the schedule of a scanner.
Reset the schedule of a scanner to the scanner package schedule.
Run a scanner manually.

View descriptions of scanners in scanner packages¶

To view descriptions of scanners in a scanner package, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select a scanner from the list of scanner names.

Enable or disable a scanner in a scanner package¶

Attention

Scanners provide valuable information about possible security risks at a minimal cost. Before disabling a scanner, we recommend evaluating the value of the information provided by the scanner in relation to the cost associated with running it. For more information about evaluating the cost associated with a scanner, see Monitoring cost.

If a scanner package is disabled, all of the scanners in the package are disabled, including scanners that were enabled individually.

To enable or disable a scanner in a scanner package, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
In the scanner STATE, enable or disable the scanner.
In the confirmation box, select Confirm.

Change the schedule of a scanner¶

You can change the schedule of some scanners.

Note

When a custom schedule is set for an individual scanner, that setting is used instead of its scanner package schedule, even if the scanner package schedule is changed.

To change the schedule of a scanner, follow these steps:

Ensure you’ve enabled the scanner.
Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select More for the scanner, and then select Edit schedule.
Set your desired Frequency.
Select Save.

Reset the schedule of a scanner to the scanner package schedule¶

To change the schedule of a scanner to match its scanner package schedule, follow these steps:

Ensure you’ve enabled the scanner.
Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select More for the scanner, and then select Edit schedule.
Select Reset, and then select Reset to scanner package schedule.
Select Save.

Run a scanner manually¶

To run a scanner manually, follow these steps:

Ensure you’ve enabled the scanner.
Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting this role, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select More for the scanner, and then select Run scanner.
In the confirmation box, select Confirm.

Managing security risks¶

You can complete the following tasks to manage security risks in the Trust Center:

View security risks.
Remediate security risks.

View security risks¶

To view security risks, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Findings tab.
Select a recommendation from the list of violations to view details about the violation associated with the recommendation.
Optionally, select Severity, Violations, or Search to filter the list of recommendations shown.

Remediate security risks¶

When viewing individual security risks, you can learn how to remediate the risks associated with the recommendations that display, allowing you to harden the security of your account.

To remediate security risks, follow these steps:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Required privileges.
In the left navigation bar, select Monitoring » Trust Center.
Select the Findings tab.
Select a recommendation from the list of violations.
Follow the steps shown in the Remediation tab.