Trust Center

Note

Snowflake reader accounts are not supported.

You can use the Trust Center to evaluate and monitor your account for security risks. The Trust Center evaluates your account against recommendations specified in scanners according to a schedule, but you can change how frequently scanners run. If your account violates any of the recommendations in any of the enabled scanners, then the Trust Center provides a list of security risks, and information about how to mitigate those risks.

Common use cases

Required privileges

A user with the ACCOUNTADMIN role must grant your role the SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN application role, depending on which Trust Center tab you want to access.

See the following table for information about which application roles you need for accessing specific tabs in the Trust Center:

Trust Center tab

Required application roles

Findings

SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN

Scanner Packages

SNOWFLAKE.TRUST_CENTER_ADMIN

For example, to create and grant a separate role for accessing the Findings tab, and a separate role for accessing the Scanner Packages tab, you can run the following commands using the ACCOUNTADMIN role:

USE ROLE ACCOUNTADMIN;

CREATE ROLE trust_center_admin_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE trust_center_admin_role;

CREATE ROLE trust_center_viewer_role;
GRANT APPLICATION ROLE SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE trust_center_viewer_role;

GRANT ROLE trust_center_admin_role TO USER example_admin_user;

GRANT ROLE trust_center_viewer_role TO USER example_nonadmin_user;
Copy

Using private connectivity

The Trust Center supports private connectivity. For more information, see Using private connectivity.

Findings

The Trust Center provides a Findings tab that provides the following information:

  • A graph of scanner violations over time, color coded by low, medium, high, and critical severity.

  • An interactive list of recommendations for each violation found. Each recommendation contains details about the violation, when the scanner was last run, and how to remediate the violation.

Findings let you identify Snowflake configurations in the account that violate the requirements of enabled scanner packages. For each violation, the Trust Center provides an explanation of how to remediate the violation. After you remediate a violation, the violation still appears in the Findings tab until the next scheduled run of the scanner package containing the scanner that reported the violation begins, or until you run the scanner package manually.

You need specific a application role to access the Findings tab. For more information, see Required privileges.

Scanners

A scanner is a scheduled background process that checks your account for security risks based on how you configured your account. Scanners are grouped together into scanner packages. Scanners contain information about what security risks they check for in your account, and the scanner package that contains them.

Scanner packages contain a description and a list of scanners that run when you enable the scanner package. After you enable a scanner package, the scanner package runs immediately, regardless of the configured schedule.

By default, scanner packages are deactivated, except for the Security Essentials scanner package.

Scanner packages run according to a schedule. You must first enable a scanner package before you can change its schedule, if the scanner package allows you to change the schedule.

You need specific application role(s) to access the Scanner Packages tab. For more information, see the table in requirements.

The following scanner packages are available:

Security Essentials scanner package

The Security Essentials scanner package is a free scanner package that does not incur cost. This scanner package scans your account to check whether you have set up the following recommendations:

  • You have an authentication policy that enforces all human users to enroll in multi-factor authentication (MFA) if they use passwords to authenticate.

  • All human users are enrolled in MFA if they use passwords to authenticate.

  • You set up an account-level network policy that has been configured to only allow access from trusted IP addresses.

  • You set up an event table if your account enabled event sharing for a native app, so your account receives a copy of the log messages and event information that is shared with the application provider.

This scanner package only scans users with their TYPE property set to PERSON or NULL.

This scanner package runs every two weeks, and you cannot change the schedule.

By default, this scanner package is enabled and cannot be deactivated.

The Security Essentials scanner package does not incur serverless compute cost.

CIS Benchmarks scanner package

You can access additional security insights by enabling the CIS Benchmarks scanner package, which contains scanners that evaluate your account against the Center for Internet Security (CIS) Snowflake Benchmarks. The CIS Snowflake Benchmarks are a list of best practices for Snowflake account configurations meant to reduce security vulnerabilities. The CIS Snowflake Benchmarks were created through community collaboration and consensus among subject matter experts.

To obtain a copy of the CIS Snowflake Benchmarks document, see the CIS Snowflake Benchmark website (https://www.cisecurity.org/benchmark/snowflake).

The recommendations found in the CIS Snowflake Benchmarks are numbered by section and recommendation. For example, the first recommendation of the first section is numbered 1.1. In the Findings tab, the Trust Center provides section numbers for each violation if you want to reference the Snowflake CIS Benchmarks.

This scanner package runs once a day by default, and you can change the schedule.

For information about enabling scanner packages, the cost that can occur from enabled scanners, and how to change the schedule of a scanner package, see the following references:

Note

For specific Snowflake CIS benchmarks, Snowflake only determines whether you have implemented a specific security measure, but does not evaluate whether the security measure was implemented in a way that achieves its objective. For these benchmarks, the absence of a violation does not guarantee that the security measure is implemented in an effective manner. The following benchmarks either do not evaluate whether your security implementations were implemented in a way that achieve their goal, or the Trust Center does not perform checks for them:

  • All of section 2: Monitoring and Alerting

  • 3.1: Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses. Trust Center displays a violation if you do not have an account-level network policy, but does not evaluate whether the appropriate IP addresses have been allowed or blocked.

  • 4.3: Ensure that the DATA_RETENTION_TIME_IN_DAYS parameter is set to 90 for critical data. Trust Center displays a violation if the DATA_RETENTION_TIME_IN_DAYS parameter associated with Time Travel is not set to 90 days for the account or at least one object, but does not evaluate which data is considered critical.

  • 4.10: Ensure that data masking is enabled for sensitive data. Trust Center displays a violation if the account does not have at least one masking policy, but does not evaluate whether sensitive data is protected appropriately. The Trust Center does not evaluate whether a masking policy is assigned to at least one table or view.

  • 4.11: Ensure that row-access policies are configured for sensitive data. Trust Center displays a violation if the account does not have at least one row access policy, but does not evaluate whether sensitive data is protected. The Trust Center does not evaluate whether a row access policy is assigned to at least one table or view.

Threat Intelligence scanner package

You can access additional security insights by enabling the Threat Intelligence scanner package, which lets you discover risky users based on user TYPE or ADMIN_USER_TYPE, authentication methods, authentication policies, and network policies used. This scanner package provides a risk severity for each risky user, to help you prioritize which users to address first.

This scanner package scans all types of users, and categorizes them as risky or not risky. Each risky user has a severity, based on their TYPE or ADMIN_USER_TYPE, and what configurations are set.

See the diagram below for information about what combination of user types (PERSON, NULL, SERVICE, and LEGACY_SERVICE) and conditions make a user risky, and how severe the risk posed by each user is:

A diagram containing a flowchart for PERSON or NULL type users, SERVICE type users, and LEGACY_SERVICE type users. Each flowchart categorizes users as not risky or having a specific risk severity. PERSON or NULL type users must either not have a password or an RSA public key to not be considered risky. If they have a password or an RSA public key, then they must be enforced by an authentication policy to enroll in MFA to not be considered risky. If they are not enforced by an authentication policy to enroll in MFA, then they must be enrolled in MFA to not be considered risky. If they are not enrolled in MFA, but they are restricted by a network policy, then they are considered to be a high risk. If they are not restricted by a network policy, then they are considered to be a critical risk. SERVICE type users must not have an RSA public key to be considered not risky. If they have an RSA public key, but are restricted by a network policy, then they are considered to be a medium risk. If they are not restricted by a network policy, then they are considered to be a critical risk. LEGACY_SERVICE type users must not have a password or an RSA public key to be considered not risky. If they have a password or an RSA public key, but are restricted by a network policy, then they are considered to be a medium risk. If they are not restricted by a network policy, then they are considered to be a critical risk.

This scanner package runs once a day by default, and you can change the schedule.

For information about enabling scanner packages, the cost that can occur from enabled scanners, and how to change the schedule of a scanner package, see the following references:

Next steps

Language: English