Trust Center¶

You can use the Trust Center to evaluate and monitor your account for security risks. The Trust Center evaluates your account against recommendations specified in scanners according to a schedule, but you can change how frequently scanners run. If your account violates any of the recommendations in any of the enabled scanners, then the Trust Center provides a list of security risks, and how to mitigate those risks.

Requirements¶

A user with the ACCOUNTADMIN role must grant your role the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role, depending on which Trust Center tab you want to access.

See the following table for information about which application roles you need for accessing specific tabs in the Trust Center:

Trust Center tab	Required application roles
Findings	`SNOWFLAKE.TRUST_CENTER_VIEWER` or `SNOWFLAKE.TRUST_CENTER_ADMIN`
Scanner Packages	`SNOWFLAKE.TRUST_CENTER_ADMIN`

For example, to create and grant a separate role for accessing the Findings tab, and a separate role for accessing the Scanner Packages tab, you can run the following commands using the ACCOUNTADMIN role:

USE ROLE ACCOUNTADMIN;

CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;

CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_admin_role TO USER example_admin_user;

GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;

Copy

Findings¶

The Trust Center provides a Findings tab that provides the following information:

A graph of scanner violations over time, color coded by low, medium, high, and critical severity.
An interactive list of recommendations for each violation found. Each recommendation contains details about the violation, when the scanner was last run, and how to remediate the violation.

Findings let you identify Snowflake configurations in the account that violate the requirements of enabled scanner packages. For each violation, the Trust Center provides an explanation of how to remediate the violation. After you remediate a violation, the violation still appears in the Findings tab until the next scheduled run of the scanner package containing the scanner that reported the violation begins, or until you run the scanner package manually.

You need specific application role(s) to access the Findings tab. For more information, see the table in requirements.

Scanners¶

A scanner is a scheduled background process that checks your account for security risks based on how you configured your account. Scanners contain information about what security risks they check for in your account, and the scanner package that contains them. Scanners are grouped together into scanner packages.

Scanner packages contain a description and a list of scanners that run when you enable the scanner package. After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule.

By default, scanner packages are disabled, except for the Security Essentials scanner package.

Scanner packages run according to a schedule. You cannot change the schedule of the Security Essentials scanner package, but you can change the schedule of the CIS Benchmarks scanner package. You must first enable the CIS Benchmarks scanner package before you can change its schedule.

You need specific application role(s) to access the Scanner Packages tab. For more information, see the table in requirements.

The following scanner packages are available:

Security Essentials scanner package.
CIS Benchmarks scanner package.

Security Essentials scanner package¶

The Security Essentials scanner package is a free scanner package that does not incur cost. This scanner package scans your account to check for account configurations recommended by Snowflake.

By default, the Security Essentials scanner package is enabled and cannot be disabled.

The Security Essentials scanner package does not incur serverless compute cost.

CIS Benchmarks scanner package¶

You can access more security insights and the ability to change scanner package schedules by enabling the CIS Benchmarks scanner package, which contains scanners that evaluate your account against the Center for Internet Security (CIS) Snowflake Benchmarks. The CIS Snowflake Benchmarks are a list of best practices for Snowflake account configurations meant to reduce security vulnerabilities. The CIS Snowflake Benchmarks were created through community collaboration and consensus among subject matter experts.

To obtain a copy of the CIS Snowflake Benchmarks document, see the CIS Snowflake Benchmark website.

The recommendations found in the CIS Snowflake Benchmarks are numbered by section and recommendation. For example, the first recommendation of the first section is numbered 1.1. In the Findings tab, the Trust Center provides section numbers for each violation if you want to reference the Snowflake CIS Benchmarks.

For information about enabling the CIS Benchmarks scanner package and cost that can incur from enabled scanners, see the following references:

Enable scanner packages
Monitoring cost

Note

For specific Snowflake CIS benchmarks, Snowflake only determines whether you have implemented a specific security measure, but does not evaluate whether the security measure was implemented in a way that achieves its objective. For these benchmarks, the absence of a violation does not guarantee that the security measure is implemented in an effective manner. The following benchmarks either do not evaluate whether your security implementations were implemented in a way that achieve their goal, or the Trust Center does not perform checks for them:

All of section 2: Monitoring and Alerting
3.1: Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses Trust Center displays a violation if you do not have an account-level network policy, but does not evaluate whether the appropriate IP addresses have been allowed or blocked.
4.3: Ensure that the DATA_RETENTION_TIME_IN_DAYS parameter is set to 90 for critical data Trust Center displays a violation if the DATA_RETENTION_TIME_IN_DAYS parameter associated with Time Travel is not set to 90 days for the account or at least one object, but does not evaluate which data is considered critical.
4.10: Ensure that data masking is enabled for sensitive data Trust Center displays a violation if the account does not have at least one masking policy, but does not evaluate whether sensitive data is protected appropriately. The Trust Center does not evaluate whether a masking policy is assigned to at least one table or view.
4.11: Ensure that row-access policies are configured for sensitive data Trust Center displays a violation if the account does not have at least one row access policy, but does not evaluate whether sensitive data is protected. The Trust Center does not evaluate whether a row access policy is assigned to at least one table or view.

Monitoring cost¶

The Trust Center can incur serverless compute cost when you enable scanner packages.

You can monitor Trust Center cost using the SERVERLESS_TASK_HISTORY view to query the serverless task usage history.

By default, only users with the ACCOUNTADMIN role can access the SERVERLESS_TASK_HISTORY view. For details about granting access to additional users, see Enabling other roles to use schemas in the SNOWFLAKE database.

For example, to view the cost incurred by the Trust Center between May 20, 2024 and May 22, 2024, you can execute the following SQL statement:

SELECT SUM(CREDITS_USED)
  FROM snowflake.account_usage.serverless_task_history
  WHERE
    DATABASE_NAME = 'SNOWFLAKE' AND
    SCHEMA_NAME = 'TRUST_CENTER_STATE' AND
    START_TIME BETWEEN '2024-05-20 07:00:00.000 -0700' AND '2024-05-22 07:00:00.000 -0700';

Copy

For more information about credit consumption by serverless features, see Serverless credit usage.

Managing scanners¶

This section provides information about how you can do the following tasks in the Trust Center:

Enable scanner packages.
View available scanner packages.
View descriptions of scanners in scanner packages.
Change the schedule of a scanner package.
Run a scanner package manually.

Enable scanner packages¶

To enable a scanner package, follow the steps below:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select the Settings tab.
Select Enable.

View available scanner packages¶

To view available scanner packages, follow the steps below:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Optionally, select Provider, Status, or Search to filter the list of scanner packages available.

View descriptions of scanners in scanner packages¶

To view descriptions of scanners in a scanner package, follow the steps below:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select a scanner from the list of scanner names.

Change the schedule of a scanner package¶

To change the schedule of a scanner package, follow the steps below:

Ensure you enabled the CIS Benchmarks scanner package.
Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
Select the Settings tab.
Under Scanner Package Schedule, select Edit.
Set your desired Frequency.
Select Continue.

Run a scanner package manually¶

To run a scanner package manually, follow the steps below:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Scanner Packages tab.
Select a scanner package from the list.
On the right side of Search, select Start.

Managing security risks¶

This section provides information about how you can do the following tasks in the Trust Center:

View security risks.
Remediate security risks.

View security risks¶

To view security risks, follow the steps below:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Findings tab
Select a recommendation from the list of violations to view details about the violation associated with the recommendation.
Optionally, select Severity, Violations, or Search to filter the list of recommendations shown.

Remediate security risks¶

When viewing individual security risks, you can learn how to remediate the risks associated with the recommendations that display, allowing you to harden the security of your account.

To remediate security risks, follow the steps below:

Sign in to Snowsight.
Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

For more information about granting these roles, see Requirements.
In the left navigation bar, select Monitoring » Trust Center.
Select the Findings tab
Select a recommendation from the list of violations.
Follow the steps shown in the Remediation tab.