Trust Center

Note

Snowflake reader accounts are not supported.

You can use the Trust Center to evaluate and monitor your account for security risks. The Trust Center evaluates your account against recommendations specified in scanners according to a schedule, but you can change how frequently scanners run. If your account violates any of the recommendations in any of the enabled scanners, then the Trust Center provides a list of security risks, and information about how to mitigate those risks.

Common use cases

Required privileges

A user with the ACCOUNTADMIN role must grant your role the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role, depending on which Trust Center tab you want to access.

See the following table for information about which application roles you need to access specific tabs in the Trust Center:

Trust Center tab

Required application roles

Findings

SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN

Scanner Packages

SNOWFLAKE.TRUST_CENTER_ADMIN

For example, to create and grant a separate role for accessing the Findings tab, and a separate role for accessing the Scanner Packages tab, you can run the following commands using the ACCOUNTADMIN role:

USE ROLE ACCOUNTADMIN;

CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;

CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_admin_role TO USER example_admin_user;

GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;
Copy

Using private connectivity

The Trust Center supports private connectivity. For more information, see Using private connectivity.

Findings

The Trust Center provides a Findings tab that provides the following information:

  • A graph of scanner violations over time, color coded by low, medium, high, and critical severity.

  • An interactive list of recommendations for each violation found. Each recommendation contains details about the violation, when the scanner was last run, and how to remediate the violation.

Findings let you identify Snowflake configurations in the account that violate the requirements of enabled scanner packages. For each violation, the Trust Center provides an explanation of how to remediate the violation. After you remediate a violation, the violation still appears in the Findings tab until the next scheduled run of the scanner package containing the scanner that reported the violation begins, or until you run the scanner package manually.

You need a specific application role to access the Findings tab. For more information, see Required privileges.

Scanners

A scanner is a scheduled background process that checks your account for security risks based on how you configured your account. Scanners are grouped together into scanner packages. Scanners contain information about what security risks they check for in your account, and the scanner package that contains them.

Scanner packages contain a description and a list of scanners that run when you enable the scanner package. After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule.

By default, scanner packages are deactivated, except for the Security Essentials scanner package.

Scanner packages run according to a schedule. You must first enable a scanner package before you can change its schedule, if the scanner package allows you to change the schedule.

After you enable a scanner package, you can enable or disable individual scanners in the scanner package. You can also change the schedule of individual scanners in the scanner package.

You need specific application role(s) to access the Scanner Packages tab. For more information, see the table in requirements.

The following scanner packages are available:

Security Essentials scanner package

The Security Essentials scanner package is a free scanner package that doesn’t incur cost. This scanner package scans your account to check whether you have set up the following recommendations:

  • You have an authentication policy that enforces all human users to enroll in multi-factor authentication (MFA) if they use passwords to authenticate.

  • All human users are enrolled in MFA if they use passwords to authenticate.

  • You set up an account-level network policy that has been configured to only allow access from trusted IP addresses.

  • You set up an event table if your account enabled event sharing for a native app, so your account receives a copy of the log messages and event information that is shared with the application provider.

This scanner package only scans users that are human users (that is, user objects with a TYPE property of PERSON or NULL). For more information, see Types of users.

This scanner package runs every two weeks, and you can’t change the schedule.

By default, this scanner package is enabled and can’t be deactivated.

The Security Essentials scanner package doesn’t incur serverless compute cost.

CIS Benchmarks scanner package

You can access additional security insights by enabling the CIS Benchmarks scanner package, which contains scanners that evaluate your account against the Center for Internet Security (CIS) Snowflake Benchmarks. The CIS Snowflake Benchmarks are a list of best practices for Snowflake account configurations meant to reduce security vulnerabilities. The CIS Snowflake Benchmarks were created through community collaboration and consensus among subject matter experts.

To obtain a copy of the CIS Snowflake Benchmarks document, see the CIS Snowflake Benchmark website.

The recommendations found in the CIS Snowflake Benchmarks are numbered by section and recommendation. For example, the first recommendation of the first section is numbered 1.1. In the Findings tab, the Trust Center provides section numbers for each violation if you want to reference the Snowflake CIS Benchmarks.

This scanner package runs once a day by default, but you can change the schedule.

For information about enabling scanner packages, the cost that can occur from enabled scanners, and how to change the schedule of a scanner package, see the following references:

Note

For specific Snowflake CIS benchmarks, Snowflake only determines whether you have implemented a specific security measure, but does not evaluate whether the security measure was implemented in a way that achieves its objective. For these benchmarks, the absence of a violation does not guarantee that the security measure is implemented in an effective manner. The following benchmarks either do not evaluate whether your security implementations were implemented in a way that achieve their goal, or the Trust Center does not perform checks for them:

  • All of section 2: Ensure that activities are monitored and provide recommendations for configuring Snowflake to address activities that require attention. These scanners contain complex queries whose findings don’t appear in the Snowsight console.

    A security officer can derive valuable insights from section 2 scanners by executing the following query against the snowflake.trust_center.findings view:

    SELECT start_timestamp,
       end_timestamp,
       scanner_id,
       scanner_short_description,
       impact,
       severity,
       total_at_risk_count,
       AT_RISK_ENTITIES
  FROM snowflake.trust_center.findings
  WHERE scanner_type = 'Threat' AND
        completion_status = 'SUCCEEDED'
  ORDER BY event_id DESC;
    Copy

    In the output, the AT_RISK_ENTITIES column contains JSON content with details about activities that require review or remediation. For example, the CIS_BENCHMARKS_CIS2_1 scanner monitors high privilege grants, and security officers should review events reported by this scanner carefully, such as the following sample event:

    [
  {
    "entity_detail": {
      "granted_by": joe_smith,
      "grantee_name": "SNOWFLAKE$SUSPCICIOUS_ROLE",
      "modified_on": "2025-01-01 07:00:00.000 Z",
      "role_granted": "ACCOUNTADMIN"
    },
    "entity_id": "SNOWFLAKE$SUSPCICIOUS_ROLE",
    "entity_name": "SNOWFLAKE$SUSPCICIOUS_ROLE",
    "entity_object_type": "ROLE"
  }
]

    Snowflake suggests the following best practices for section 2 scanners:

    • Don’t disable section 2 scanners unless you are confident that you have sufficient monitoring measures in place.

    • Inspect the findings of section 2 scanners on a regular cadence or configure a monitoring task for alerts. Specifically, configure monitoring as described in the SUGGESTED_ACTION column of the snowflake.trust_center.findings view.

  • 3.1: Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses. Trust Center displays a violation if you do not have an account-level network policy, but doesn’t evaluate whether the appropriate IP addresses have been allowed or blocked.

  • 4.3: Ensure that the DATA_RETENTION_TIME_IN_DAYS parameter is set to 90 for critical data. Trust Center displays a violation if the DATA_RETENTION_TIME_IN_DAYS parameter associated with Time Travel isn’t set to 90 days for the account or at least one object, but doesn’t evaluate which data is considered critical.

  • 4.10: Ensure that data masking is enabled for sensitive data. Trust Center displays a violation if the account does not have at least one masking policy, but does not evaluate whether sensitive data is protected appropriately. The Trust Center does not evaluate whether a masking policy is assigned to at least one table or view.

  • 4.11: Ensure that row-access policies are configured for sensitive data. Trust Center displays a violation if the account doesn’t have at least one row access policy, but does not evaluate whether sensitive data is protected. The Trust Center does not evaluate whether a row access policy is assigned to at least one table or view.

Threat Intelligence scanner package

You can access additional security insights by enabling the Threat Intelligence scanner package, which lets you discover risky users based on user type, authentication methods, authentication policies, and network policies used. This scanner package provides a risk severity for each risky user, to help you prioritize which users to address first.

This scanner package scans all types of users, and categorizes them as risky or not risky. Each risky user has a severity, based on their TYPE or ADMIN_USER_TYPE, and what configurations are set.

The following diagram contains information about what combination of user types (PERSON, NULL, SERVICE, and LEGACY_SERVICE) and conditions make a user risky, and how severe the risk posed by each user is:

A diagram containing a flowchart for PERSON or NULL type users, SERVICE type users, and LEGACY_SERVICE type users. Each flowchart categorizes users as not risky or having a specific risk severity. PERSON or NULL type users must either not have a password or an RSA public key to not be considered risky. If they have a password or an RSA public key, then they must be enforced by an authentication policy to enroll in MFA to not be considered risky. If they are not enforced by an authentication policy to enroll in MFA, then they must be enrolled in MFA to not be considered risky. If they are not enrolled in MFA, but they are restricted by a network policy, then they are considered to be a high risk. If they are not restricted by a network policy, then they are considered to be a critical risk. SERVICE type users must not have an RSA public key to be considered not risky. If they have an RSA public key, but are restricted by a network policy, then they are considered to be a medium risk. If they are not restricted by a network policy, then they are considered to be a critical risk. LEGACY_SERVICE type users must not have a password or an RSA public key to be considered not risky. If they have a password or an RSA public key, but are restricted by a network policy, then they are considered to be a medium risk. If they are not restricted by a network policy, then they are considered to be a critical risk.

This scanner package runs once a day by default, but you can change the schedule.

For information about enabling scanner packages, the cost that can occur from enabled scanners, and how to change the schedule of a scanner package, see the following references:

Next steps

Language: English