Trust Center overview¶

You can use the Trust Center to evaluate, monitor, and reduce potential security risks in your Snowflake accounts. The Trust Center evaluates each Snowflake account against recommendations that are specified in scanners. Scanners might generate findings. Trust Center findings provide information about how to reduce potential security risks in your Snowflake account. Not every scanner run generates a finding. A scanner run that finds no security concern generates no finding in the Trust Center. You can also use the Trust Center to configure proactive notifications that help you monitor your account for security risks.

Common Trust Center use cases¶

For more information about how to use the Trust Center to reduce security risks in your Snowflake account, see the following topics:

Limitations¶

Snowflake reader accounts aren’t supported.

Required roles¶

To view or manage scanners and their findings by using the Trust Center, a user with the ACCOUNTADMIN role must grant the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role to your role.

The following table lists common tasks that you perform by using the Trust Center user interface, and the minimum application role that your role requires to perform those tasks:

참고

If you are using the Trust Center in the organization account, use the GLOBALORGADMIN role, not ACCOUNTADMIN, to grant the Trust Center application roles.

Trust Center의 특정 탭에 액세스하는 데 필요한 애플리케이션 역할에 대한 정보는 다음 테이블을 참조하십시오.

Task	Trust Center 탭	Minimum required application role	Notes
View detection findings	Detections	`SNOWFLAKE.TRUST_CENTER_VIEWER`	`SNOWFLAKE.TRUST_CENTER_ADMIN` role can also view detections.
View violation findings	Violations	`SNOWFLAKE.TRUST_CENTER_VIEWER`	`SNOWFLAKE.TRUST_CENTER_ADMIN` role can also view violations.
Manage violation findings Lifecycle	Violations	`SNOWFLAKE.TRUST_CENTER_ADMIN`	None.
Manage scanner packages	Manage scanners	`SNOWFLAKE.TRUST_CENTER_ADMIN`	None.
Manage scanners	Manage scanners	`SNOWFLAKE.TRUST_CENTER_ADMIN`	None.
View org-level violations	Organization	`ORGANIZATION_SECURITY_VIEWER` and `SNOWFLAKE.TRUST_CENTER_ADMIN`	The Organization tab is visible only in an Organization account.

You can create a custom role that provides view-only access to the Violations and Detections tabs. You can also create a separate, administrator-level role to manage violations and scanners by using the Violations and Manage scanners tabs. For example, to create these two different roles, run the following commands:

USE ROLE ACCOUNTADMIN;

CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;

CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_admin_role TO USER example_admin_user;

GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;

Copy

참고

This example isn’t intended to recommend a complete role hierarchy for using the Trust Center. For more information, see each sub-section in Trust Center 사용하기.

Using private connectivity with Trust Center¶

Trust Center는 비공개 연결을 지원합니다. 자세한 내용은 비공개 연결 사용하기 섹션을 참조하십시오.

Trust Center findings¶

Trust Center findings include two kinds of findings: violations and detections. Both findings are generated by scanners as they run in your Snowflake accounts.

You can review findings at the organization level or you can examine more closely the findings for a specific account.

참고

Currently, you can’t view detection findings at the organization level.

Organization-level findings¶

The Organization tab provides insights into the violation findings that are generated in all of the accounts in the organization. This tab includes the following information:

조직의 위반 수.
가장 심각한 위반 사항이 있는 계정.
조직의 각 계정에 대한 위반 수. 계정을 선택하여 계정의 개별 위반 사항을 드릴다운할 수 있습니다.

참고

You can’t use the Organization tab to resolve or reopen violations. To perform these actions, sign in to the account with the violation, and then access the Violations tab.

Organization 탭에 액세스하려면 다음 요구 사항을 충족해야 합니다.

:doc:`조직 계정</user-guide/organization-accounts>`에 로그인합니다.
ORGANIZATION_SECURITY_VIEWER 애플리케이션 역할이 있는 역할을 사용합니다. :ref:`Trust Center 애플리케이션 역할<label-trust_center_requirements>`도 있어야 합니다.

계정 수준 결과¶

스캐너 find and report violations and detections findings through the Trust Center. A violation persists over time and represents a configuration that doesn’t conform with a scanner’s requirements. A detection occurs one time and represents a unique event. You can use the Trust Center to view and manage findings for your account. For more information, see Trust Center 사용하기.

Violations¶

A scanner can examine an entity at any point and determine whether it is in violation based only on its current configuration. Scanners continue to report on violations unless you change the configuration to remediate the violations. For example, a scanner reports a violation if some users haven’t configured multi-factor authentication (MFA).

The Violations tab provides account-level information about scanner results. It includes the following information:

낮음, 중간, 높음, 심각도별로 색상이 구분된 시간 경과에 따른 스캐너 위반 그래프.
An interactive list for each violation that is found. Each row in the list contains details about the violation, when the scanner was last run, and how to remediate the violation.

위반을 통해 활성화된 스캐너 패키지 의 요구 사항을 위반하는 계정 내 Snowflake 구성을 식별할 수 있습니다. Trust Center는 각 위반 사항에 대해 위반 사항을 시정하는 방법을 설명합니다. 위반 사항을 수정한 후에도 위반 사항을 보고한 스캐너가 포함된 스캐너 패키지의 다음 예약 실행이 시작되거나 스캐너 패키지를 수동으로 실행 할 때까지 위반 사항이 Violations 탭에 계속 표시됩니다.

When you are signed in to the account with the violations, you can use the Violations tab to perform the following actions:

자신에게 적용되는 위반 사항을 분류하고 증거 또는 진행률 노트를 기록합니다.
이유와 관계없이 위반 사항을 해결하거나 다시 시작하고, 감사 필요성을 위해 타당성을 기록합니다.
Sort or filter violations by severity, scanner package, scanner version, scanned time, updated time, or status.
위반 상태 변경에 대한 이유를 추가하여 수행한 작업에 대한 명확한 기록을 유지합니다.

You can remediate violations by changing the configuration. For a violation, the Trust Center provides suggestions for remediation. After you remediate the issue, the Trust Center no longer reports the violation. You can also manage the lifecycle of a violation finding by changing its status to Resolved. Email notifications are suppressed for resolved violations. Suppression prevents more notifications while you work to remediate the underlying misconfigurations. A resolved violation finding no longer generates a notification.

Detections¶

A detection represents an event that happened at a specific time. The following findings are examples of events that might be reported as detections:

Login events originated from an unrecognized IP address.
A large amount of data was transferred to an external stage.
A task had a high error rate between two points in time.

Scanners report each detection based on an event trigger. For example, a scanner reports a detection when it detects a suspicious sign-in event and reports a separate detection when it detects another suspicious sign-in event at a different time. For a detection, the Trust Center provides information about the event. Because the event is unique and happened in the past, direct remediation of a detection isn’t possible.

Based on the information that the Trust Center provides, you can investigate whether the detection is meaningful. If the detection is meaningful, you can take actions to prevent similar events in the future.

참고

If the scanner that reported the detection runs again, it might or might not report similar detections. Currently, you can’t manage the lifecycle of a detection.

For more information about managing detections, see View detections.

스캐너¶

A scanner is a background process that checks your account for security risks that are based on the following criteria:

How you configured your account.
Anomalous events.

The Trust Center groups scanners into scanner packages. Scanner details provide information about what security risks the scanner checks for in your account, when the scanner runs, and who receives notifications about the scanner’s findings for your account. To see the details for a specific scanner, follow the instructions in View details for a scanner.

Schedule-based scanners¶

Schedule-based scanners run at specific times, according to their schedules. You must enable a scanner package before you can change the schedule for a scanner. For more information about changing the schedule for a scanner, see Change the schedule for a scanner.

Event-driven scanners¶

Event-driven scanners generate detections that are based on relevant events. Examples include scanners that detect sign-ins from unusual IP addresses and scanners that detect changes to sensitive parameters. You can’t schedule an event-driven scanner, because an event, not a schedule, drives the detection that an event-driven scanner generates. The Trust Center reports detections that are generated by event-driven scanners within an hour of the time that an event occurs.

An event-based scanner can detect events that a schedule-based scanner could miss. For example, consider a schedule-based scanner that detects the TRUE or FALSE state of a Boolean parameter once every 10 minutes. Toggling — that is, changing the state of — the value of that parameter from TRUE to FALSE, and then back to TRUE again before 10 minutes pass would occur undetected by the schedule-based scanner. An event-based scanner that detects each state change would detect both events.

For a current list of event-driven scanners, see Threat Intelligence 스캐너 패키지.

참고

Event-driven scanners might appear as multiple items in the METERING_HISTORY 뷰.

Scanner Packages¶

Scanner packages contain a description and a list of scanners that run when you enable the scanner package. After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule. After you enable a scanner package, you can enable or disable individual scanners in the scanner package. Your role must have the SNOWFLAKE.TRUST_CENTER_ADMIN application role to manage scanners by using the Manage scanners tab. For more information, see Required roles.

다음과 같은 스캐너 패키지를 사용할 수 있습니다.

Security Essentials 스캐너 패키지
CIS Benchmarks 스캐너 패키지
Threat Intelligence 스캐너 패키지

For information about enabling scanner packages, the cost that can occur from enabled scanners, how to change the schedule for a scanner package, and how to view the list of current scanners in a package, see the following topics:

Scanner packages are deactivated by default, except for the Security Essentials 스캐너 패키지.

Security Essentials 스캐너 패키지¶

The Security Essentials scanner package scans your account to check whether you have set up the following recommendations:

You have an authentication policy that enforces all human users to enroll in MFA if they use passwords to authenticate.
모든 사람 사용자는 비밀번호를 사용하여 인증하는 경우 MFA 에 등록됩니다.
You set up an account-level network policy that was configured to only allow access from trusted IP addresses.
계정이 Native App에 대한 이벤트 공유를 활성화한 경우 이벤트 테이블을 설정하므로, 계정이 애플리케이션 공급자와 공유되는 로그 메시지 및 이벤트 정보의 복사본을 수신합니다.

This scanner package only scans users that are human users; that is, user objects with a TYPE property of PERSON or NULL. For more information, see 사용자 유형.

The Security Essentials scanner package:

Is enabled by default. You can’t deactivate it.
Runs once a month. You can’t change this schedule.
Is a free scanner package that doesn’t incur serverless compute cost.

CIS Benchmarks 스캐너 패키지¶

인터넷 보안 센터(CIS) Snowflake Benchmarks에 대해 계정을 평가하는 스캐너가 포함된 CIS Benchmarks 스캐너 패키지를 활성화하여 추가 보안 인사이트에 액세스할 수 있습니다. CIS Snowflake 벤치마크는 보안 취약성을 줄이기 위한 Snowflake 계정 구성의 모범 사례 목록입니다. CIS Snowflake 벤치마크는 커뮤니티의 협업과 주제별 전문가들의 합의를 통해 생성되었습니다.

CIS Snowflake Benchmarks 문서의 사본을 얻으려면 CIS Snowflake Benchmark 웹사이트 를 참조하십시오.

CIS Snowflake Benchmarks의 권장 사항은 섹션 및 권장 사항별로 번호가 매겨져 있습니다. 예를 들어, 첫 번째 섹션의 첫 번째 권장 사항은 1.1 로 번호가 지정됩니다. Violations 탭에서 Trust Center는 각 위반 사항에 대한 섹션 번호를 제공하여 Snowflake CIS Benchmarks를 참조할 수 있도록 합니다.

이 스캐너 패키지는 기본적으로 하루에 한 번 실행되지만 예약을 변경할 수 있습니다.

참고

특정 Snowflake CIS 벤치마크의 경우, Snowflake는 특정 보안 조치를 구현했는지 여부만 확인하고, 보안 조치가 목적을 달성하는 방식으로 구현되었는지 여부는 평가하지 않습니다. 이러한 벤치마크의 경우 위반 사례가 없다고 해서 보안 조치가 효과적인 방식으로 구현되었다고 보장할 수 없습니다. 다음 벤치마크는 보안 구현이 목표를 달성하는 방식으로 구현되었는지 평가하지 않거나, Trust Center에서 해당 벤치마크에 대한 검사를 수행하지 않습니다.

섹션 2의 모든 항목: 활동을 모니터링하고 주의가 필요한 활동을 해결하기 위해 Snowflake를 구성하기 위한 권장 사항을 제공합니다. 이러한 스캐너에는 위반 사항이 Snowsight 콘솔에 나타나지 않는 복잡한 쿼리가 포함되어 있습니다.

보안 담당자는 snowflake.trust_center.findings 뷰에 대해 다음 쿼리를 실행하여 섹션 2 스캐너에서 유용한 인사이트를 도출할 수 있습니다.
```
SELECT start_timestamp,
       end_timestamp,
       scanner_id,
       scanner_short_description,
       impact,
       severity,
       total_at_risk_count,
       AT_RISK_ENTITIES
  FROM snowflake.trust_center.findings
  WHERE scanner_type = 'Threat' AND
        completion_status = 'SUCCEEDED'
  ORDER BY event_id DESC;
```
Copy
출력의 AT_RISK_ENTITIES 열에는 검토 또는 수정이 필요한 활동에 대한 세부 정보가 포함된 JSON 내용이 포함됩니다. 예를 들어, CIS_BENCHMARKS_CIS2_1 스캐너는 높은 권한 부여를 모니터링하며, 보안 담당자는 이 스캐너가 보고하는 다음 샘플 이벤트와 같은 이벤트를 주의 깊게 검토해야 합니다.
```
[
  {
    "entity_detail": {
      "granted_by": joe_smith,
      "grantee_name": "SNOWFLAKE$SUSPICIOUS_ROLE",
      "modified_on": "2025-01-01 07:00:00.000 Z",
      "role_granted": "ACCOUNTADMIN"
    },
    "entity_id": "SNOWFLAKE$SUSPICIOUS_ROLE",
    "entity_name": "SNOWFLAKE$SUSPICIOUS_ROLE",
    "entity_object_type": "ROLE"
  }
]
```
Snowflake는 섹션 2 스캐너에 대한 다음과 같은 모범 사례를 제안합니다.
- 충분한 모니터링 조치가 마련되어 있다고 확신하지 않는 한 섹션 2 스캐너를 비활성화하지 마십시오.
- Inspect the violations of section 2 scanners on a regular cadence or configure a monitoring task for detections. Specifically, configure monitoring as described in the SUGGESTED_ACTION column of the snowflake.trust_center.findings view.
3.1: Ensure that an account-level network policy was configured to only allow access from trusted IP addresses. Trust Center displays a violation if you don’t have an account-level network policy, but doesn’t evaluate whether the appropriate IP addresses have been allowed or blocked.
4.3: 중요한 데이터의 경우 DATA_RETENTION_TIME_IN_DAYS 매개 변수가 90으로 설정되어 있는지 확인하십시오. Time Travel 과 관련된 DATA_RETENTION_TIME_IN_DAYS 매개 변수가 계정 또는 적어도 하나의 오브젝트에 대해 90일로 설정되어 있지 않지만, 어떤 데이터가 중요한 것으로 간주되는지 평가하지 않는 경우 Trust Center에서 위반을 표시합니다.
4.10: 민감한 데이터에 대해 데이터 마스킹이 활성화되어 있는지 확인합니다. 계정에 마스킹 정책 이 하나 이상 없지만, 민감한 데이터가 적절하게 보호되고 있는지 평가하지 않는 경우 Trust Center에서 위반을 표시합니다. Trust Center는 마스킹 정책이 적어도 하나의 테이블이나 뷰에 할당되었는지 평가하지 않습니다.
4.11: 민감한 데이터에 대해 행 액세스 정책이 구성되어 있는지 확인합니다. 계정에 행 액세스 정책 이 하나 이상 없지만, 민감한 데이터가 보호되고 있는지 평가하지 않는 경우 Trust Center에서 위반을 표시합니다. Trust Center는 행 액세스 정책이 적어도 하나의 테이블이나 뷰에 할당되었는지 평가하지 않습니다.

Threat Intelligence 스캐너 패키지¶

Threat Intelligence 스캐너 패키지를 활성화하여 Trust Center에서 추가적인 보안 인사이트에 액세스할 수 있습니다. 이 패키지는 다음 기준에 따라 위험을 식별합니다.

사용자 유형: Snowflake 계정 사용자가 사람인지 서비스인지 여부.
Authentication methods or policies: Whether a user logs in to their account with a password without being enrolled in MFA.
로그인 활동: 사용자가 최근에 로그인하지 않았는지 여부.
비정상적인 실패율: 사용자의 인증 실패 또는 작업 오류가 많은지 여부.
New! Detection findings: all new scanners that report detection findings.

Specific scanners in the Threat Intelligence package identify users that demonstrate potentially risky behavior as risky. The following table provides examples:

Threat Intelligence scanners¶

Scanner	Type	Description
Migrate human users away from password-only sign-in	Schedule-based	Identifies human users who (a) haven’t set up MFA and signed in with a password at least once in the past 90 days and (b) have a password but haven’t set up MFA and haven’t signed in for 90 days.
Migrate legacy service users away from password-only sign-in	Schedule-based	Identifies legacy service users who have a password and (a) have signed in with only a password at least once in the past 90 days and (b) haven’t signed in for 90 days.
Identify users with a high volume of authentication failures	Schedule-based	Identifies users with a high number of authentication failures or job errors, which might indicate attempted takeovers of an account, misconfigurations, exceeded quotas, or permission issues. Provides a risk-severity finding and a risk-mitigation recommendation.

New Threat Intelligence scanners¶

Both schedule-based scanners and event-based scanners can report detections. This preview adds new scanners of both types. All of the added scanners generate detections instead of violation findings.

This preview adds the following new scanners to the Threat Intelligence 스캐너 패키지:

Scanner	Type	Description
Authentication policy changes	Event-driven	Finds changes to authentication polices at both the account level and the user level.
Dormant user sign-ins	Event-driven	Analyzes sign-in history events and flags sign-ins from users who haven’t signed in during the last 90 days.
Entities with long-running queries	Schedule-based	Finds users and query IDs associated with long-running queries, which are queries with durations that are two standard deviations away from an average query duration over the last 7 days, or the last time the scanner ran, whichever is more recent. We recommend setting this scanner to run once a day. This scanner might cost more initially, as it builds a 30-day cache, which it stores thereafter. Trust Center reports a detection event the first time this scanner runs.
Login protection	Event-driven	Finds recent logins from unusual IP addresses. 중요 These events originate from the Malicious IP Protection service and require immediate attention.
Sensitive parameter protection	Event-driven	Reports disablement of the following sensitive account-level parameters: PREVENT_UNLOAD_TO_INLINE_URL, REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION, and REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION. This scanner only reports detections of a change from `TRUE` to `FALSE` for these parameters, which are set to `TRUE` by default for the best security posture.
Users with administrator privileges	Schedule-based	Finds newly created users whose default role is an administrator role, as well as recent grants to existing users that grant them an administrator role.
Users with unusual applications used in sessions	Schedule-based	Finds users who have used unusual client applications that connect to Snowflake.

Threat Intelligence 스캐너 패키지는 기본적으로 하루에 한 번 실행되지만, 일정을 변경할 수 있습니다.

다음 단계¶

Trust Center 시작하기