Trust Center

You can use the Trust Center to evaluate and monitor your account for security risks. The Trust Center evaluates your account against recommendations specified in scanners every 24 hours by default, but you can change how frequently scanners run. If your account violates any of the recommendations in any of the enabled scanners, then the Trust Center provides a list of security risks, and how to mitigate those risks.

Requirements

A user with the ACCOUNTADMIN role must grant your role the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role, depending on which Trust Center tab you want to access.

Refer to the following table for information about which application roles you need for accessing specific tabs in the Trust Center:

Trust Center tab

Required application roles

Findings

SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN

Scanner Packages

SNOWFLAKE.TRUST_CENTER_ADMIN

For example, to create and grant a separate role for accessing the Findings tab, and a separate role for accessing the Scanner Packages tab, you can run the following commands using the ACCOUNTADMIN role:

USE ROLE ACCOUNTADMIN;

CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;

CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_admin_role TO USER example_admin_user;

GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;
Copy

Monitoring cost

The Trust Center can incur serverless compute cost when you enable scanner packages.

You can monitor Trust Center cost using the SERVERLESS_TASK_HISTORY view to query the serverless task usage history.

By default, only users with the ACCOUNTADMIN role can access the SERVERLESS_TASK_HISTORY view. For details about granting access to additional users, see Enabling the SNOWFLAKE Database Usage for Other Roles.

For example, to view the cost incurred by the Trust Center between May 20, 2024 and May 22, 2024, you can execute the following SQL statement:

SELECT SUM(CREDITS_USED)
  FROM snowflake.account_usage.serverless_task_history
  WHERE
    DATABASE_NAME = 'SNOWFLAKE' AND
    SCHEMA_NAME = 'TRUST_CENTER_STATE' AND
    START_TIME BETWEEN '2024-05-20 07:00:00.000 -0700' AND '2024-05-22 07:00:00.000 -0700';
Copy

For more information about credit consumption by serverless features, see Serverless credit usage.

Managing scanners

A scanner is a background process that intermittently checks your account for security risks based on how you configured your account. Scanners contain information about what security risks they check for in your account, and the scanner package that contains them. Scanners are grouped together into scanner packages.

Scanner packages contain a description and a list of scanners that run when you enable the scanner package.

Scanner packages run according to a schedule that you can set, but you can change the schedule of a scanner package to change how often scanner packages run.

After you enable a scanner package, the scanner package begins immediately, but does not affect the schedule of the scanner package.

By default, scanner packages are disabled.

This section provides the following information:

Default scanner packages

By default, the Trust Center provides the CIS Benchmarks scanner package, which contains scanners that evaluate your account against the Center for Internet Security (CIS) Snowflake Benchmarks. The CIS Snowflake Benchmarks are a list of best practices for Snowflake account configurations meant to reduce security vulnerabilities. The CIS Snowflake Benchmarks were created through community collaboration and consensus among subject matter experts.

To obtain a copy of the CIS Snowflake Benchmarks document, see the CIS Snowflake Benchmark website.

The recommendations found in the CIS Snowflake Benchmarks are numbered by section and recommendation. For example, the first recommendation of the first section is numbered 1.1. In the Findings tab, the Trust Center provides section numbers for each violation if you want to reference the Snowflake CIS Benchmarks.

Enable scanner packages

To enable a scanner package, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. Select the Settings tab.

  7. Select Enable.

View available scanner packages

To view available scanner packages, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Optionally, select Provider, Status, or Search to filter the list of scanner packages available.

View descriptions of scanners in scanner packages

To view descriptions of scanners in a scanner package, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. Select a scanner from the list of scanner names.

Change the schedule of a scanner package

To change the schedule of a scanner package, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. Select the Settings tab.

  7. Under Scanner Package Schedule, select trust-center-edit-image Edit.

  8. Set your desired Frequency.

  9. Select Continue.

Start a scanner package immediately

To start a scanner package immediately, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. On the right side of Search, select trust-center-start-image Start.

Managing security risks

The Trust Center allows you to identify Snowflake configurations in the account that violate the requirements of enabled scanners. For each violation, the Trust Center provides an explanation of how to remediate the violation. After you remediate a violation, the violation still appears in the Findings tab until the next scheduled run of the scanner package containing the scanner that reported the violation begins, or until you start the scanner package manually.

A list of recommendations based on violations do not appear if you did not enable any scanner packages.

The Findings tab provides the following information:

  • A graph of scanner violations over time, color coded by low, medium, high, and critical severity.

  • An interactive list of recommendations for each violation found. Each recommendation contains details about the violation, when the scanner was last run, and how to remediate the violation.

Note

For some benchmarks, Snowflake only determines whether you have implemented a specific security measure, but does not evaluate whether the security measure was implemented in a way that achieves its objective. For these benchmarks, the absence of a violation does not guarantee that the security measure is implemented in an effective manner. The following benchmarks either do not evaluate whether your security implementations were implemented in a way that achieve their goal, or the Trust Center does not perform checks for them:

  • 2: Monitoring and Alerting

  • 3.1: Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses Trust Center displays a violation if you do not have an account-level network policy, but does not evaluate whether the appropriate IP addresses have been allowed or blocked.

  • 4.3: Ensure that the DATA_RETENTION_TIME_IN_DAYS parameter is set to 90 for critical data Trust Center displays a violation if the DATA_RETENTION_TIME_IN_DAYS parameter associated with Time Travel is not set to 90 days for the account or at least one object, but does not evaluate which data is considered critical.

  • 4.10: Ensure that data masking is enabled for sensitive data Trust Center displays a violation if the account does not have at least one masking policy, but does not evaluate whether sensitive data is protected appropriately. The Trust Center does not evaluate whether a masking policy is assigned to at least one table or view.

  • 4.11: Ensure that row-access policies are configured for sensitive data Trust Center displays a violation if the account does not have at least one row access policy, but does not evaluate whether sensitive data is protected. The Trust Center does not evaluate whether a row access policy is assigned to at least one table or view.

This section teaches you how to do the following tasks in the Trust Center:

View security risks

The Trust Center provides the following information for each security risk found:

  • A way of resolving the risk.

  • A summary of when the risk was last scanned for.

  • The severity of the risk.

  • The scanner associated with the risk,

  • A description of the risk

  • A list of entities in your account that are associated with the risk.

To view security risks, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Findings tab

  5. Select a recommendation from the list of violations to view details about the violation associated with the recommendation.

  6. Optionally, select Severity, Violations, or Search to filter the list of recommendations shown.

Remediate security risks

When viewing individual security risks, you can learn how to remediate the risks associated with the recommendations that display, allowing you to harden the security of your account.

To remediate security risks, follow the steps below:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Requirements.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Findings tab

  5. Select a recommendation from the list of violations.

  6. Follow the steps shown in the Remediation tab.

Language: English