Using the Trust Center

This topic describes how to use and navigate the Trust Center Snowsight interface.

Monitoring cost

The Trust Center incurs serverless compute cost when it scans your Snowflake environment for security vulnerabilities.

You can use cost-related views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas to track the costs associated with the Trust Center. When querying these views, filter on the service_type column to find TRUST_CENTER values.

View

Schema

service_type

Roles with required privileges

METERING_HISTORY

ACCOUNT_USAGE

TRUST_CENTER

  • ACCOUNTADMIN role

  • USAGE_VIEWER database role

METERING_DAILY_HISTORY

ACCOUNT_USAGE

TRUST_CENTER

  • ACCOUNTADMIN role

  • USAGE_VIEWER database role

METERING_DAILY_HISTORY

ORGANIZATION_USAGE

TRUST_CENTER

  • ORGADMIN role

  • ORGANIZATION_USAGE_VIEWER database role

USAGE_IN_CURRENCY_DAILY

ORGANIZATION_USAGE

TRUST_CENTER

  • ORGADMIN role

  • ORGANIZATION_BILLING_VIEWER database role

Example: View the total cost that the Trust Center incurred between December 1, 2024 and December 31, 2024.

SELECT
   SUM(credits_used) AS total_credits
FROM snowflake.account_usage.metering_history
WHERE
   service_type = 'TRUST_CENTER' AND
   start_time >= '2024-12-01' AND
   end_time <= '2024-12-31';
Copy

Example: View the daily cost that the Trust Center incurred after December 1, 2024.

SELECT
   usage_date AS date,
   credits_used AS credits
FROM snowflake.account_usage.metering_daily_history
WHERE
   service_type = 'TRUST_CENTER' AND
   date > '2024-12-01';
Copy

For information about how many credits are charged per Compute-Hour for the operation of the Trust Center, see Table 5 in the Snowflake Service Consumption Table.

Costs before December 1, 2024

Prior to December 1, 2024, serverless compute costs were not tracked with a service type in the cost-related views in the ACCOUNT_USAGE and ORGANIZATION_USAGE schemas. If you want the historical cost of using the Trust Center before December 1, 2024, you need to query the SERVERLESS_TASK_HISTORY view instead. For example, to view the cost that the Trust Center incurred between May 20, 2024 and May 22, 2024, you can execute the following SQL statement:

SELECT SUM(CREDITS_USED)
  FROM snowflake.account_usage.serverless_task_history
  WHERE
    DATABASE_NAME = 'SNOWFLAKE' AND
    SCHEMA_NAME = 'TRUST_CENTER_STATE' AND
    START_TIME BETWEEN '2024-05-20 07:00:00.000 -0700' AND '2024-05-22 07:00:00.000 -0700';
Copy

Managing scanner packages

You can complete the following tasks to manage scanner packages in the Trust Center:

Enable scanner packages

To enable a scanner package, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. Select the Settings tab.

  7. Select Enable.

After you enable a scanner package, you can enable or disable individual scanners in the scanner package.

View available scanner packages

To view available scanner packages, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Optionally, select Provider, Status, or Search to filter the list of scanner packages available.

Change the schedule of a scanner package

You can change the schedule of all scanner packages, except the Security Essentials scanner package.

Tip

After a scanner package is enabled, you can change the schedule of individual scanners in the scanner package.

To change the schedule of a scanner package, follow these steps:

  1. Ensure you’ve enabled the CIS Benchmarks scanner package.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  4. In the left navigation bar, select Monitoring » Trust Center.

  5. Select the Scanner Packages tab.

  6. Select a scanner package from the list.

  7. Select the Settings tab.

  8. Under Scanner Package Schedule, select trust-center-edit-image Edit.

  9. Set your desired Frequency.

  10. Select Continue.

Run a scanner package manually

To run a scanner package manually, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. Next to Search, select trust-center-start-image Run Package.

Note

Some scanner packages, such as the Security Essentials scanner package, cannot be run manually, and run on a fixed schedule.

Managing scanners

You can complete the following tasks to manage scanners in the Trust Center:

View descriptions of scanners in scanner packages

To view descriptions of scanners in a scanner package, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. Select a scanner from the list of scanner names.

Enable or disable a scanner in a scanner package

Attention

Scanners provide valuable information about possible security risks at a minimal cost. Before disabling a scanner, we recommend evaluating the value of the information provided by the scanner in relation to the cost associated with running it. For more information about evaluating the cost associated with a scanner, see Monitoring cost.

If a scanner package is disabled, all of the scanners in the package are disabled, including scanners that were enabled individually.

To enable or disable a scanner in a scanner package, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Scanner Packages tab.

  5. Select a scanner package from the list.

  6. In the scanner STATE, enable or disable the scanner.

  7. In the confirmation box, select Confirm.

Change the schedule of a scanner

You can change the schedule of some scanners.

Note

When a custom schedule is set for an individual scanner, that setting is used instead of its scanner package schedule, even if the scanner package schedule is changed.

To change the schedule of a scanner, follow these steps:

  1. Ensure you’ve enabled the scanner.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  4. In the left navigation bar, select Monitoring » Trust Center.

  5. Select the Scanner Packages tab.

  6. Select a scanner package from the list.

  7. Select trust-center-vertical-more-image More for the scanner, and then select Edit schedule.

  8. Set your desired Frequency.

  9. Select Save.

Reset the schedule of a scanner to the scanner package schedule

To change the schedule of a scanner to match its scanner package schedule, follow these steps:

  1. Ensure you’ve enabled the scanner.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  4. In the left navigation bar, select Monitoring » Trust Center.

  5. Select the Scanner Packages tab.

  6. Select a scanner package from the list.

  7. Select trust-center-vertical-more-image More for the scanner, and then select Edit schedule.

  8. Select Reset, and then select Reset to scanner package schedule.

  9. Select Save.

Run a scanner manually

To run a scanner manually, follow these steps:

  1. Ensure you’ve enabled the scanner.

  2. Sign in to Snowsight.

  3. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  4. In the left navigation bar, select Monitoring » Trust Center.

  5. Select the Scanner Packages tab.

  6. Select a scanner package from the list.

  7. Select trust-center-vertical-more-image More for the scanner, and then select Run scanner.

  8. In the confirmation box, select Confirm.

Managing the findings lifecycle

Change the status of a violation

Attention

Marking a violation as “Resolved” is a way to triage the open violation so you can focus on the ones most important for your environment. Resolving a violation also ceases the periodic email notifications for that violation. Scanners run as scheduled irrespective of the violation status - Open or Resolved. The scanner continues to run and detect violations if the configuration remains unchanged.

All new security violations are raised with an Open status. You can resolve a violation for multiple reasons, such as not being applicable to your account, being deferred for a future date, being in progress already, etc.

You can change the status of a violation for any reason, such as not being applicable to your account, deferred for a future date, being in progress already, etc. To change the status of a violation, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the navigation bar, select Monitoring » Trust Center.

  4. Select the Findings tab.

  5. Select a violation that opens its detailed pane. By default, only violations with the Open status are shown.

  6. Select the Resolve button.

  7. Add a comment to justify the resolution (optional).

  8. Select Submit.

Resolved violations can be reopened by selecting the Resolve button.

View violations

You can view and filter your violations data to see your current progress, as shown here:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting this role, see Required privileges.

  3. In the navigation bar, select Monitoring » Trust Center.

  4. Select the Findings tab.

  5. Select an option from the Status drop-down menu to view the list of open, resolved, or all violations.

  6. Select any violation to see a detailed pane with its summary, recommendations, and activity.

  7. In the violation bar, select Activity to see the comments history and the responsible users.

  8. Select Scanned to see the scanner’s last run and when the violation was generated.

  9. Select Updated to see when the violation status was last changed.

Managing security risks

You can complete the following tasks to manage security risks in the Trust Center:

View security risks

To view security risks, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Findings tab.

  5. Select a recommendation from the list of violations to view details about the violation associated with the recommendation.

  6. Optionally, select Severity, Violations, or Search to filter the list of recommendations shown.

Remediate security risks

When viewing individual security risks, you can learn how to remediate the risks associated with the recommendations that display, allowing you to harden the security of your account.

To remediate security risks, follow these steps:

  1. Sign in to Snowsight.

  2. Switch to a role with the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role granted to it.

    For more information about granting these roles, see Required privileges.

  3. In the left navigation bar, select Monitoring » Trust Center.

  4. Select the Findings tab.

  5. Select a recommendation from the list of violations.

  6. Follow the steps shown in the Remediation tab.

Language: English