Trust Center overview¶
You can use the Trust Center to evaluate, monitor, and reduce potential security risks in your Snowflake accounts. The Trust Center evaluates each Snowflake account against recommendations that are specified in scanners. Scanners might generate findings. Trust Center findings provide information about how to reduce potential security risks in your Snowflake account. Not every scanner run generates a finding. A scanner run that finds no security concern generates no finding in the Trust Center. You can also use the Trust Center to configure proactive notifications that help you monitor your account for security risks.
Common Trust Center use cases¶
For more information about how to use the Trust Center to reduce security risks in your Snowflake account, see the following topics:
Limitations¶
Snowflake reader accounts aren't supported.
Required roles¶
To view or manage scanners and their findings by using the Trust Center, a user with the ACCOUNTADMIN role
must grant the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role to your role.
The following table lists common tasks that you perform by using the Trust Center user interface, and the minimum application role that your role requires to perform those tasks:
注釈
If you are using the Trust Center in the organization account, use the GLOBALORGADMIN role, not ACCOUNTADMIN, to grant the Trust Center application roles.
Trust Centerの特定のタブにアクセスするために必要なアプリケーションロールについては、次の表を参照してください。
Task |
トラストセンタータブ |
Minimum required application role |
Notes |
|---|---|---|---|
Detections |
|
|
|
Violations |
|
|
|
Violations |
|
None. |
|
Manage scanners |
|
None. |
|
Manage scanners |
|
None. |
|
Organization |
|
The Organization tab is visible only in an Organization account. |
You can create a custom role that provides view-only access to the Violations and Detections tabs. You can also create a separate, administrator-level role to manage violations and scanners by using the Violations and Manage scanners tabs. For example, to create these two different roles, run the following commands:
USE ROLE ACCOUNTADMIN;
CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;
CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;
GRANT ROLE trust_center_admin_role TO USER example_admin_user;
GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;
注釈
This example isn't intended to recommend a complete role hierarchy for using the Trust Center. For more information, see each sub-section in Trust Centerを使用する.
Using private connectivity with Trust Center¶
Trust Centerはプライベート接続をサポートします。詳細は プライベート接続の使用 をご参照ください。
Trust Center findings¶
Trust Center findings include two kinds of findings: violations and detections. Both findings are generated by scanners as they run in your Snowflake accounts.
You can review findings at the organization level or you can examine more closely the findings for a specific account.
注釈
Currently, you can't view detection findings at the organization level.
Organization-level findings¶
The Organization tab provides insights into the violation findings that are generated in all of the accounts in the organization. This tab includes the following information:
組織内の違反の数。
最も重大な違反があるアカウント。
組織内の各アカウントの違反の数。アカウントを選択すると、そのアカウントの各違反をドリルダウンすることができます。
注釈
You can't use the Organization tab to resolve or reopen violations. To perform these actions, sign in to the account with the violation, and then access the Violations tab.
Organization タブにアクセスするには、以下の要件を満たしている必要があります。
:doc:`組織アカウント </user-guide/organization-accounts>`にサインインします。
ORGANIZATION_SECURITY_VIEWER アプリケーションロールを持つロールを使用します。また、 Trust Centerアプリケーションロール も必要です。
アカウントレベルの調査結果¶
スキャナー find and report violations and detections findings through the Trust Center. A violation persists over time and represents a configuration that doesn't conform with a scanner's requirements. A detection occurs one time and represents a unique event. You can use the Trust Center to view and manage findings for your account. For more information, see Trust Centerを使用する.
Violations¶
A scanner can examine an entity at any point and determine whether it is in violation based only on its current configuration. Scanners continue to report on violations unless you change the configuration to remediate the violations. For example, a scanner reports a violation if some users haven't configured multi-factor authentication (MFA).
The Violations tab provides account-level information about scanner results. It includes the following information:
スキャナー違反を低、中、高、重大度別に色分けした経時的なグラフ。
An interactive list for each violation that is found. Each row in the list contains details about the violation, when the scanner was last run, and how to remediate the violation.
違反により、 有効なスキャナパッケージ の要件に違反するアカウント内の Snowflake 構成を識別できます。各違反について、トラストセンターは違反を是正する方法を説明します。違反を修復した後も、違反を報告したスキャナーを含むスキャナーパッケージの次回のスケジュールされた実行が開始されるまで、または スキャナーパッケージを手動で起動する まで、違反は Violations タブに表示されます。
When you are signed in to the account with the violations, you can use the Violations tab to perform the following actions:
該当する違反をトリアージし、証拠または進捗状況を記録します。
何らかの理由で違反を解決または再開し、監査の必要性を正当化することを記録します。
Sort or filter violations by severity, scanner package, scanner version, scanned time, updated time, or status.
違反のステータス変更の理由を追加して、実行したアクションの明確な記録を提供します。
You can remediate violations by changing the configuration. For a violation, the Trust Center provides suggestions for remediation. After you remediate the issue, the Trust Center no longer reports the violation. You can also manage the lifecycle of a violation finding by changing its status to Resolved. Email notifications are suppressed for resolved violations. Suppression prevents more notifications while you work to remediate the underlying misconfigurations. A resolved violation finding no longer generates a notification.
Detections¶
Preview Feature --- Open
Available to all accounts.
A detection represents an event that happened at a specific time. The following findings are examples of events that might be reported as detections:
Login events originated from an unrecognized IP address.
A large amount of data was transferred to an external stage.
A task had a high error rate between two points in time.
Scanners report each detection based on an event trigger. For example, a scanner reports a detection when it detects a suspicious sign-in event and reports a separate detection when it detects another suspicious sign-in event at a different time. For a detection, the Trust Center provides information about the event. Because the event is unique and happened in the past, direct remediation of a detection isn't possible.
Based on the information that the Trust Center provides, you can investigate whether the detection is meaningful. If the detection is meaningful, you can take actions to prevent similar events in the future.
注釈
If the scanner that reported the detection runs again, it might or might not report similar detections. Currently, you can't manage the lifecycle of a detection.
For more information about managing detections, see View detections.
スキャナー¶
A scanner is a background process that checks your account for security risks that are based on the following criteria:
How you configured your account.
Anomalous events.
The Trust Center groups scanners into scanner packages. Scanner details provide information about what security risks the scanner checks for in your account, when the scanner runs, and who receives notifications about the scanner's findings for your account. To see the details for a specific scanner, follow the instructions in View details for a scanner.
Schedule-based scanners¶
Schedule-based scanners run at specific times, according to their schedules. You must enable a scanner package before you can change the schedule for a scanner. For more information about changing the schedule for a scanner, see Change the schedule for a scanner.
Event-driven scanners¶
Preview Feature --- Open
Available to all accounts.
Event-driven scanners generate detections that are based on relevant events. Examples include scanners that detect sign-ins from unusual IP addresses and scanners that detect changes to sensitive parameters. You can't schedule an event-driven scanner, because an event, not a schedule, drives the detection that an event-driven scanner generates. The Trust Center reports detections that are generated by event-driven scanners within an hour of the time that an event occurs.
An event-based scanner can detect events that a schedule-based scanner could miss. For example, consider a schedule-based scanner that detects
the TRUE or FALSE state of a Boolean parameter once every 10 minutes. Toggling --- that is, changing the state of --- the value of
that parameter from TRUE to FALSE, and then back to TRUE again before 10 minutes pass would occur undetected by the
schedule-based scanner. An event-based scanner that detects each state change would detect both events.
For a current list of event-driven scanners, see Threat Intelligenceスキャナーパッケージ.
注釈
Event-driven scanners might appear as multiple items in the METERING_HISTORY ビュー.
Scanner Packages¶
Scanner packages contain a description and a list of scanners that run when you enable the scanner package.
After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule. After you enable a scanner
package, you can enable or disable individual scanners in the scanner package. Your role must have the SNOWFLAKE.TRUST_CENTER_ADMIN application role to manage scanners
by using the Manage scanners tab. For more information, see Required roles.
以下のスキャナーパッケージが利用可能です。
For information about enabling scanner packages, the cost that can occur from enabled scanners, how to change the schedule for a scanner package, and how to view the list of current scanners in a package, see the following topics:
Scanner packages are deactivated by default, except for the Security Essentialsスキャナーパッケージ.
Security Essentialsスキャナーパッケージ¶
The Security Essentials scanner package scans your account to check whether you have set up the following recommendations:
You have an authentication policy that enforces all human users to enroll in MFA if they use passwords to authenticate.
認証コードにパスワードを使用している場合、人間のユーザーはすべて MFA に登録されます。
You set up an account-level network policy that was configured to only allow access from trusted IP addresses.
あなたのアカウントが ネイティブアプリでのイベント共有を有効化 した場合、 イベントテーブルを設定 すると、アプリケーションプロバイダーと共有されるログメッセージとイベント情報のコピーを受け取ることができます。
This scanner package only scans users that are human users; that is, user objects with a TYPE property of PERSON or NULL. For more information, see ユーザーのタイプ.
The Security Essentials scanner package:
Is enabled by default. You can't deactivate it.
Runs once a month. You can't change this schedule.
Is a free scanner package that doesn't incur serverless compute cost.
CIS Benchmarksスキャナーパッケージ¶
CIS Benchmarks スキャナーパッケージを有効にすることで、Center for Internet Security(CIS)Snowflake Benchmarksに対してアカウントを評価するスキャナーが含まれており、セキュリティに関するその他の洞察にアクセスすることができます。CIS Snowflake Benchmarksは、セキュリティの脆弱性を減らすことを目的としたSnowflakeアカウント構成のベストプラクティスのリストです。CIS Snowflake Benchmarksは、コミュニティの協力と各分野の専門家のコンセンサスによって作成されました。
CIS Snowflake Benchmarksドキュメントを入手するには、 CIS Snowflake Benchmarkウェブサイト をご参照ください。
CIS Snowflake Benchmarksに記載されている推奨事項には、セクションと推奨事項ごとに番号が付けられています。例えば、第1セクションの最初の推奨事項には、 1.1 という番号が付けられています。Violations タブでは、Snowflake CIS Benchmarksを参照するために、トラストセンターが各違反のセクション番号を提供しています。
このスキャナーパッケージはデフォルトで1日1回実行されますが、スケジュールを変更することもできます。
For information about enabling scanner packages, the cost that can occur from enabled scanners, how to change the schedule for a scanner package, and how to view the list of current scanners in a package, see the following topics:
注釈
特定のSnowflake CIS Benchmarksについて、Snowflake は特定のセキュリティ対策を実施したかどうかを判断するだけで、セキュリティ対策がその目的を達成する方法で実施されたかどうかは評価しません。これらのベンチマークでは、違反がないからといって、セキュリティ対策が効果的に実施されていることを保証するものではありません。以下のベンチマークは、セキュリティ実装が目標を達成するように実装されているかどうかを評価しないか、トラストセンターがチェックを行いません:
セクション 2 のすべて: アクティビティが監視されていることを確認し、注意が必要なアクティビティに対処するために Snowflake を構成するための推奨事項を提供します。これらのスキャナーには、違反がSnowsightコンソールに表示されない複雑なクエリが含まれています。
セキュリティ担当者は、
snowflake.trust_center.findingsビューに対して以下のクエリを実行することで、セクション 2 スキャナーから貴重な洞察を得ることができます:SELECT start_timestamp, end_timestamp, scanner_id, scanner_short_description, impact, severity, total_at_risk_count, AT_RISK_ENTITIES FROM snowflake.trust_center.findings WHERE scanner_type = 'Threat' AND completion_status = 'SUCCEEDED' ORDER BY event_id DESC;
出力では、
AT_RISK_ENTITIES列に、レビューや改善が必要なアクティビティに関する詳細が記載された JSON コンテンツが含まれます。例えば、 CIS_BENCHMARKS_CIS2_1 スキャナーは、高権限権限を監視します。セキュリティ担当者は、このスキャナーから報告されたイベント(以下のサンプルイベントなど)を注意深く確認する必要があります。[ { "entity_detail": { "granted_by": joe_smith, "grantee_name": "SNOWFLAKE$SUSPICIOUS_ROLE", "modified_on": "2025-01-01 07:00:00.000 Z", "role_granted": "ACCOUNTADMIN" }, "entity_id": "SNOWFLAKE$SUSPICIOUS_ROLE", "entity_name": "SNOWFLAKE$SUSPICIOUS_ROLE", "entity_object_type": "ROLE" } ]
Snowflakeは、セクション2スキャナーのベストプラクティスを次のように提案しています。
十分な監視対策が講じられていると確信が持てない限り、セクション2のスキャナーを無効にしないでください。
Inspect the violations of section 2 scanners on a regular cadence or configure a monitoring task for detections. Specifically, configure monitoring as described in the
SUGGESTED_ACTIONcolumn of thesnowflake.trust_center.findingsview.
3.1: Ensure that an account-level network policy was configured to only allow access from trusted IP addresses. Trust Center displays a violation if you don't have an account-level network policy, but doesn't evaluate whether the appropriate IP addresses have been allowed or blocked.
4.3: 重要なデータについては、 DATA_RETENTION_TIME_IN_DAYS パラメーターが 90 にセットされていることを確認してください。Trust Center は、 Time Travel に関連する DATA_RETENTION_TIME_IN_DAYS パラメーターがアカウントまたは少なくとも 1 つのオブジェクトで 90 日にセットされていない場合、違反を表示しますが、どのデータが重要であると見なされるかは評価しません。
4.10: 機密データに対してデータマスキングが有効になっていることを確認します。Trust Centerは、アカウントに少なくとも1つの マスキングポリシー がなければ違反を表示しますが、機密データが適切に保護されているかどうかは評価しません。トラストセンターは、マスキングポリシーが少なくとも1つのテーブルまたは表示に割り当てられているかどうかを評価しません。
4.11: 機密データに対して行アクセスポリシーが構成されていることを確認してください。Trust Center は、アカウントに少なくとも 1 つの 行アクセスポリシー がない場合、違反を表示しますが、機密データが保護されているかどうかは評価しません。トラストセンターは、行アクセスポリシーが少なくとも1つのテーブルまたは表示に割り当てられているかどうかを評価しません。
Threat Intelligenceスキャナーパッケージ¶
Threat Intelligence スキャナーパッケージを有効にすると、Trust Centerで追加のセキュリティインサイトにアクセスできます。このパッケージは、以下の基準に基づいてリスクを識別します。
ユーザーのタイプ:Snowflakeアカウントユーザーが人間かサービスか。
Authentication methods or policies: Whether a user logs in to their account with a password without being enrolled in MFA.
ログインアクティビティ:最近、ユーザーがログインしていないかどうか。
異常な失敗率:ユーザーの認証の失敗やジョブエラーが多数あるかどうか。
New! Detection findings: all new scanners that report detection findings.
Specific scanners in the Threat Intelligence package identify users that demonstrate potentially risky behavior as risky. The following table provides examples:
Threat Intelligence scanners¶
Scanner |
Type |
Description |
|---|---|---|
Migrate human users away from password-only sign-in |
Schedule-based |
Identifies human users who (a) haven't set up MFA and signed in with a password at least once in the past 90 days and (b) have a password but haven't set up MFA and haven't signed in for 90 days. |
Migrate legacy service users away from password-only sign-in |
Schedule-based |
Identifies legacy service users who have a password and (a) have signed in with only a password at least once in the past 90 days and (b) haven't signed in for 90 days. |
Identify users with a high volume of authentication failures |
Schedule-based |
Identifies users with a high number of authentication failures or job errors, which might indicate attempted takeovers of an account, misconfigurations, exceeded quotas, or permission issues. Provides a risk-severity finding and a risk-mitigation recommendation. |
New Threat Intelligence scanners¶
Preview Feature --- Open
Available to all accounts.
Both schedule-based scanners and event-based scanners can report detections. This preview adds new scanners of both types. All of the added scanners generate detections instead of violation findings.
This preview adds the following new scanners to the Threat Intelligenceスキャナーパッケージ:
Scanner |
Type |
Description |
|---|---|---|
Authentication policy changes |
Event-driven |
Finds changes to authentication polices at both the account level and the user level. |
Dormant user sign-ins |
Event-driven |
Analyzes sign-in history events and flags sign-ins from users who haven't signed in during the last 90 days. |
Entities with long-running queries |
Schedule-based |
Finds users and query IDs associated with long-running queries, which are queries with durations that are two standard deviations away from an average query duration over the last 7 days, or the last time the scanner ran, whichever is more recent. We recommend setting this scanner to run once a day. This scanner might cost more initially, as it builds a 30-day cache, which it stores thereafter. Trust Center reports a detection event the first time this scanner runs. |
Login protection |
Event-driven |
Finds recent logins from unusual IP addresses. 重要 These events originate from the Malicious IP Protection service and require immediate attention. |
Sensitive parameter protection |
Event-driven |
Reports disablement of the following sensitive account-level parameters: PREVENT_UNLOAD_TO_INLINE_URL,
REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION, and REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION.
This scanner only reports detections of a change from |
Users with administrator privileges |
Schedule-based |
Finds newly created users whose default role is an administrator role, as well as recent grants to existing users that grant them an administrator role. |
Users with unusual applications used in sessions |
Schedule-based |
Finds users who have used unusual client applications that connect to Snowflake. |
Threat Intelligenceスキャナーパッケージはデフォルトで1日1回実行されますが、スケジュールを変更することもできます。
For information about enabling scanner packages, the cost that can occur from enabled scanners, how to change the schedule for a scanner package, and how to view the list of current scanners in a package, see the following topics: