Trust Center overview¶

You can use the Trust Center to evaluate, monitor, and reduce potential security risks in your Snowflake accounts. The Trust Center evaluates each Snowflake account against recommendations that are specified in scanners. Scanners might generate findings. Trust Center findings provide information about how to reduce potential security risks in your Snowflake account. Not every scanner run generates a finding. A scanner run that finds no security concern generates no finding in the Trust Center. You can also use the Trust Center to configure proactive notifications that help you monitor your account for security risks.

Common Trust Center use cases¶

For more information about how to use the Trust Center to reduce security risks in your Snowflake account, see the following topics:

Limitations¶

Snowflake reader accounts aren’t supported.

Required roles¶

To view or manage scanners and their findings by using the Trust Center, a user with the ACCOUNTADMIN role must grant the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role to your role.

The following table lists common tasks that you perform by using the Trust Center user interface, and the minimum application role that your role requires to perform those tasks:

Note

If you are using the Trust Center in the organization account, use the GLOBALORGADMIN role, not ACCOUNTADMIN, to grant the Trust Center application roles.

Consultez la table suivante pour obtenir des informations sur les rôles d’application dont vous avez besoin pour accéder à des onglets spécifiques du Trust Center :

Task	Onglet Centre de confiance	Minimum required application role	Notes
View detection findings	Detections	`SNOWFLAKE.TRUST_CENTER_VIEWER`	`SNOWFLAKE.TRUST_CENTER_ADMIN` role can also view detections.
View violation findings	Violations	`SNOWFLAKE.TRUST_CENTER_VIEWER`	`SNOWFLAKE.TRUST_CENTER_ADMIN` role can also view violations.
Manage violation findings Lifecycle	Violations	`SNOWFLAKE.TRUST_CENTER_ADMIN`	None.
Manage scanner packages	Manage scanners	`SNOWFLAKE.TRUST_CENTER_ADMIN`	None.
Manage scanners	Manage scanners	`SNOWFLAKE.TRUST_CENTER_ADMIN`	None.
View org-level violations	Organization	`ORGANIZATION_SECURITY_VIEWER` and `SNOWFLAKE.TRUST_CENTER_ADMIN`	The Organization tab is visible only in an Organization account.

You can create a custom role that provides view-only access to the Violations and Detections tabs. You can also create a separate, administrator-level role to manage violations and scanners by using the Violations and Manage scanners tabs. For example, to create these two different roles, run the following commands:

USE ROLE ACCOUNTADMIN;

CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;

CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_admin_role TO USER example_admin_user;

GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;

Copy

Note

This example isn’t intended to recommend a complete role hierarchy for using the Trust Center. For more information, see each sub-section in Utilisation du Trust Center.

Using private connectivity with Trust Center¶

Le Trust Center prend en charge la connectivité privée. Pour plus d’informations, voir Utilisation de la connectivité privée.

Trust Center findings¶

Trust Center findings include two kinds of findings: violations and detections. Both findings are generated by scanners as they run in your Snowflake accounts.

You can review findings at the organization level or you can examine more closely the findings for a specific account.

Note

Currently, you can’t view detection findings at the organization level.

Organization-level findings¶

The Organization tab provides insights into the violation findings that are generated in all of the accounts in the organization. This tab includes the following information:

Le nombre de violations au sein de l’organisation.
Les comptes présentant les violations les plus graves.
Le nombre de violations pour chaque compte au sein de l’organisation. Vous pouvez sélectionner un compte pour analyser en détail les violations individuelles de ce compte.

Note

You can’t use the Organization tab to resolve or reopen violations. To perform these actions, sign in to the account with the violation, and then access the Violations tab.

Pour accéder à l’onglet Organization, vous devez répondre aux exigences suivantes :

Connectez-vous au compte de l’organisation.
Utilisez un rôle qui possède le rôle d’application ORGANIZATION_SECURITY_VIEWER. Vous devez également disposer d’un rôle d’application du Centre de confiance.

Résultats au niveau d’un compte¶

Scanners find and report violations and detections findings through the Trust Center. A violation persists over time and represents a configuration that doesn’t conform with a scanner’s requirements. A detection occurs one time and represents a unique event. You can use the Trust Center to view and manage findings for your account. For more information, see Utilisation du Trust Center.

Violations¶

A scanner can examine an entity at any point and determine whether it is in violation based only on its current configuration. Scanners continue to report on violations unless you change the configuration to remediate the violations. For example, a scanner reports a violation if some users haven’t configured multi-factor authentication (MFA).

The Violations tab provides account-level information about scanner results. It includes the following information:

Un graphique des violations de scanner au fil du temps, avec un code couleur pour les degrés de gravité faible, moyen, élevé et critique.
An interactive list for each violation that is found. Each row in the list contains details about the violation, when the scanner was last run, and how to remediate the violation.

Les violations vous permettent d’identifier les configurations Snowflake dans le compte qui violent les exigences des paquets de scanners activés. Pour chaque violation, le Centre de confiance explique comment y remédier. Après avoir remédié à une violation, celle-ci apparaît toujours dans l’onglet Violations jusqu’au début de la prochaine exécution planifiée du module d’analyse contenant le scanner qui a signalé la violation, ou jusqu’à ce que vous exécutiez manuellement le paquet de scanner.

When you are signed in to the account with the violations, you can use the Violations tab to perform the following actions:

Triez les violations qui s’appliquent à vous et enregistrez les preuves ou les notes de progression.
Résolvez ou rouvrez les violations pour quelque raison que ce soit et enregistrez la preuve pour les besoins d’audit.
Sort or filter violations by severity, scanner package, scanner version, scanned time, updated time, or status.
Ajoutez des motifs de modification de l’état de la violation afin de fournir un enregistrement clair des actions entreprises.

You can remediate violations by changing the configuration. For a violation, the Trust Center provides suggestions for remediation. After you remediate the issue, the Trust Center no longer reports the violation. You can also manage the lifecycle of a violation finding by changing its status to Resolved. Email notifications are suppressed for resolved violations. Suppression prevents more notifications while you work to remediate the underlying misconfigurations. A resolved violation finding no longer generates a notification.

Detections¶

A detection represents an event that happened at a specific time. The following findings are examples of events that might be reported as detections:

Login events originated from an unrecognized IP address.
A large amount of data was transferred to an external stage.
A task had a high error rate between two points in time.

Scanners report each detection based on an event trigger. For example, a scanner reports a detection when it detects a suspicious sign-in event and reports a separate detection when it detects another suspicious sign-in event at a different time. For a detection, the Trust Center provides information about the event. Because the event is unique and happened in the past, direct remediation of a detection isn’t possible.

Based on the information that the Trust Center provides, you can investigate whether the detection is meaningful. If the detection is meaningful, you can take actions to prevent similar events in the future.

Note

If the scanner that reported the detection runs again, it might or might not report similar detections. Currently, you can’t manage the lifecycle of a detection.

For more information about managing detections, see View detections.

Scanners¶

A scanner is a background process that checks your account for security risks that are based on the following criteria:

How you configured your account.
Anomalous events.

The Trust Center groups scanners into scanner packages. Scanner details provide information about what security risks the scanner checks for in your account, when the scanner runs, and who receives notifications about the scanner’s findings for your account. To see the details for a specific scanner, follow the instructions in View details for a scanner.

Schedule-based scanners¶

Schedule-based scanners run at specific times, according to their schedules. You must enable a scanner package before you can change the schedule for a scanner. For more information about changing the schedule for a scanner, see Change the schedule for a scanner.

Event-driven scanners¶

Event-driven scanners generate detections that are based on relevant events. Examples include scanners that detect sign-ins from unusual IP addresses and scanners that detect changes to sensitive parameters. You can’t schedule an event-driven scanner, because an event, not a schedule, drives the detection that an event-driven scanner generates. The Trust Center reports detections that are generated by event-driven scanners within an hour of the time that an event occurs.

An event-based scanner can detect events that a schedule-based scanner could miss. For example, consider a schedule-based scanner that detects the TRUE or FALSE state of a Boolean parameter once every 10 minutes. Toggling — that is, changing the state of — the value of that parameter from TRUE to FALSE, and then back to TRUE again before 10 minutes pass would occur undetected by the schedule-based scanner. An event-based scanner that detects each state change would detect both events.

For a current list of event-driven scanners, see Paquet de scanners Threat Intelligence.

Note

Event-driven scanners might appear as multiple items in the Vue METERING_HISTORY.

Scanner Packages¶

Scanner packages contain a description and a list of scanners that run when you enable the scanner package. After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule. After you enable a scanner package, you can enable or disable individual scanners in the scanner package. Your role must have the SNOWFLAKE.TRUST_CENTER_ADMIN application role to manage scanners by using the Manage scanners tab. For more information, see Required roles.

Les paquets de scanner suivants sont disponibles :

Paquet de scanner Security Essentials
Paquet de scanners CIS Benchmarks
Paquet de scanners Threat Intelligence

For information about enabling scanner packages, the cost that can occur from enabled scanners, how to change the schedule for a scanner package, and how to view the list of current scanners in a package, see the following topics:

Scanner packages are deactivated by default, except for the Paquet de scanner Security Essentials.

Paquet de scanner Security Essentials¶

The Security Essentials scanner package scans your account to check whether you have set up the following recommendations:

You have an authentication policy that enforces all human users to enroll in MFA if they use passwords to authenticate.
Tous les utilisateurs humains sont inscrits sur à la MFA s’ils utilisent des mots de passe pour s’authentifier.
You set up an account-level network policy that was configured to only allow access from trusted IP addresses.
Vous avez configuré une table d’événements si votre compte a activé le partage d’événements pour une application native, afin que votre compte reçoive une copie des messages de journalisation et des informations sur les événements qui sont partagés avec le fournisseur d’applications.

This scanner package only scans users that are human users; that is, user objects with a TYPE property of PERSON or NULL. For more information, see Types d’utilisateurs.

The Security Essentials scanner package:

Is enabled by default. You can’t deactivate it.
Runs once a month. You can’t change this schedule.
Is a free scanner package that doesn’t incur serverless compute cost.

Paquet de scanners CIS Benchmarks¶

Vous pouvez accéder à des insights de sécurité supplémentaires en activant le paquet de scanner CIS Benchmarks, qui contient des scanners évaluant votre compte par rapport aux critères des Benchmarks pour Snowflake de Center for Internet Security (CIS). Les CIS Benchmarks pour Snowflake sont une liste des meilleures pratiques pour la configuration des comptes Snowflake visant à réduire les vulnérabilités en matière de sécurité. Les CIS Benchmarks pour Snowflake ont été créés grâce à la collaboration de la communauté et au consensus d’experts en la matière.

Pour obtenir une copie du document CIS Benchmarks pour Snowflake, consultez le site Web CIS Benchmark pour Snowflake.

Les recommandations contenues dans les CIS Benchmarks pour Snowflake sont numérotées par section et par recommandation. Par exemple, la première recommandation de la première section est numérotée 1.1. Dans l’onglet Violations, le Centre de confiance fournit des numéros de section pour chaque violation si vous souhaitez faire référence aux CIS Benchmarks de Snowflake.

Ce paquet de scanners s’exécute une fois par jour par défaut, mais vous pouvez modifier sa planification.

Note

Pour certains CIS Benchmarks pour Snowflake, Snowflake détermine uniquement si vous avez mis en œuvre une mesure de sécurité spécifique, mais n’évalue pas si la mesure de sécurité a été mise en œuvre de manière à atteindre son objectif. Pour ces benchmarks, l’absence de violation ne garantit pas que la mesure de sécurité est mise en œuvre de manière efficace. Les benchmarks suivants n’évaluent pas si vos mesures de sécurité ont été mises en œuvre de manière à atteindre leur objectif, ou bien le Centre de confiance n’effectue pas de vérifications à leur sujet :

All of section 2 : assurez-vous que les activités sont surveillées et fournissez des recommandations pour la configuration de Snowflake afin de traiter les activités qui requièrent une attention particulière. Ces scanners contiennent des requêtes complexes dont les violations n’apparaissent pas dans la console Snowsight.

Un responsable de la sécurité peut obtenir des informations précieuses sur les scanners de la section 2 en exécutant la requête suivante sur la vue snowflake.trust_center.findings :
```
SELECT start_timestamp,
       end_timestamp,
       scanner_id,
       scanner_short_description,
       impact,
       severity,
       total_at_risk_count,
       AT_RISK_ENTITIES
  FROM snowflake.trust_center.findings
  WHERE scanner_type = 'Threat' AND
        completion_status = 'SUCCEEDED'
  ORDER BY event_id DESC;
```
Copy
Dans la sortie, la colonne AT_RISK_ENTITIES contient le contenu de JSON avec des détails sur les activités qui nécessitent une révision ou une remédiation. Par exemple, le scanner CIS_BENCHMARKS_CIS2_1 surveille les octrois de privilèges élevés et les responsables de la sécurité doivent examiner attentivement les événements signalés par ce scanner, tels que l’exemple d’événement suivant :
```
[
  {
    "entity_detail": {
      "granted_by": joe_smith,
      "grantee_name": "SNOWFLAKE$SUSPICIOUS_ROLE",
      "modified_on": "2025-01-01 07:00:00.000 Z",
      "role_granted": "ACCOUNTADMIN"
    },
    "entity_id": "SNOWFLAKE$SUSPICIOUS_ROLE",
    "entity_name": "SNOWFLAKE$SUSPICIOUS_ROLE",
    "entity_object_type": "ROLE"
  }
]
```
Snowflake propose les meilleures pratiques suivantes pour les scanners de la section 2 :
- Ne désactivez pas les scanners de la section 2 si vous n’êtes pas sûr d’avoir mis en place des mesures de surveillance suffisantes.
- Inspect the violations of section 2 scanners on a regular cadence or configure a monitoring task for detections. Specifically, configure monitoring as described in the SUGGESTED_ACTION column of the snowflake.trust_center.findings view.
3.1: Ensure that an account-level network policy was configured to only allow access from trusted IP addresses. Trust Center displays a violation if you don’t have an account-level network policy, but doesn’t evaluate whether the appropriate IP addresses have been allowed or blocked.
4.3 : veillez à ce que le paramètre DATA_RETENTION_TIME_IN_DAYS soit défini sur 90 pour les données critiques. Le Trust Center affiche une violation si le paramètre DATA_RETENTION_TIME_IN_DAYS associé à Time Travel n’est pas défini sur 90 jours pour le compte ou au moins pour un objet, mais n’évalue pas quelles données sont considérées comme critiques.
4.10 : assurez-vous que le masquage des données est activé pour les données sensibles. Le Trust Center affiche une violation si le compte n’a pas au moins une politique de masquage, mais n’évalue pas si les données sensibles sont protégées de manière appropriée. Le Centre de confiance n’évalue pas si une politique de masquage est affectée à au moins une table ou une vue.
4.11 : veillez à ce que les politiques d’accès aux lignes soient configurées pour les données sensibles. Le Trust Center affiche une violation si le compte n’a pas au moins une politique d’accès aux lignes, mais n’évalue pas si les données sensibles sont protégées. Le Centre de confiance n’évalue pas si une politique d’accès aux lignes est affectée à au moins une table ou une vue.

Paquet de scanners Threat Intelligence¶

Vous pouvez accéder à des informations de sécurité supplémentaire dans le Trust Center en activant le paquet de scanner Threat Intelligence. Ce paquet identifie les risques sur la base des critères suivants :

Types d’utilisateurs : Si un utilisateur de compte Snowflake est un humain ou un service.
Authentication methods or policies: Whether a user logs in to their account with a password without being enrolled in MFA.
Activité de connexion : Si un utilisateur ne s’est pas connecté récemment.
Taux d’échecs anormaux : Si un utilisateur présente un nombre élevé d’échecs d’authentification ou d’erreurs de tâches.
New! Detection findings: all new scanners that report detection findings.

Specific scanners in the Threat Intelligence package identify users that demonstrate potentially risky behavior as risky. The following table provides examples:

Threat Intelligence scanners¶

Scanner	Type	Description
Migrate human users away from password-only sign-in	Schedule-based	Identifies human users who (a) haven’t set up MFA and signed in with a password at least once in the past 90 days and (b) have a password but haven’t set up MFA and haven’t signed in for 90 days.
Migrate legacy service users away from password-only sign-in	Schedule-based	Identifies legacy service users who have a password and (a) have signed in with only a password at least once in the past 90 days and (b) haven’t signed in for 90 days.
Identify users with a high volume of authentication failures	Schedule-based	Identifies users with a high number of authentication failures or job errors, which might indicate attempted takeovers of an account, misconfigurations, exceeded quotas, or permission issues. Provides a risk-severity finding and a risk-mitigation recommendation.

New Threat Intelligence scanners¶

Both schedule-based scanners and event-based scanners can report detections. This preview adds new scanners of both types. All of the added scanners generate detections instead of violation findings.

This preview adds the following new scanners to the Paquet de scanners Threat Intelligence:

Scanner	Type	Description
Authentication policy changes	Event-driven	Finds changes to authentication polices at both the account level and the user level.
Dormant user sign-ins	Event-driven	Analyzes sign-in history events and flags sign-ins from users who haven’t signed in during the last 90 days.
Entities with long-running queries	Schedule-based	Finds users and query IDs associated with long-running queries, which are queries with durations that are two standard deviations away from an average query duration over the last 7 days, or the last time the scanner ran, whichever is more recent. We recommend setting this scanner to run once a day. This scanner might cost more initially, as it builds a 30-day cache, which it stores thereafter. Trust Center reports a detection event the first time this scanner runs.
Login protection	Event-driven	Finds recent logins from unusual IP addresses. Important These events originate from the Malicious IP Protection service and require immediate attention.
Sensitive parameter protection	Event-driven	Reports disablement of the following sensitive account-level parameters: PREVENT_UNLOAD_TO_INLINE_URL, REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION, and REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION. This scanner only reports detections of a change from `TRUE` to `FALSE` for these parameters, which are set to `TRUE` by default for the best security posture.
Users with administrator privileges	Schedule-based	Finds newly created users whose default role is an administrator role, as well as recent grants to existing users that grant them an administrator role.
Users with unusual applications used in sessions	Schedule-based	Finds users who have used unusual client applications that connect to Snowflake.

Ce paquet de scanner Threat Intelligence s’exécute une fois par jour par défaut, mais vous pouvez modifier sa planification.

Prochaines étapes¶

Premiers pas avec le Trust Center