community.snowflake.com
Open in
urlscan Pro
2606:4700::6812:1075
Public Scan
URL:
https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices
Submission: On July 03 via api from US — Scanned from DE
Submission: On July 03 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="mktoForm_4014" class="mktoForm1 mktoForm mktoHasWidth mktoLayoutLeft" data-aura-rendered-by="194:0" novalidate="novalidate" style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 811px;">
<style type="text/css">
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton {
color: #fff;
border: 1px solid #75ae4c;
padding: 0.4em 1em;
font-size: 1em;
background-color: #99c47c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#99c47c), to(#75ae4c));
background-image: -webkit-linear-gradient(top, #99c47c, #75ae4c);
background-image: -moz-linear-gradient(top, #99c47c, #75ae4c);
background-image: linear-gradient(to bottom, #99c47c, #75ae4c);
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:hover {
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:focus {
outline: none;
border: 1px solid #447f19;
}
.mktoForm .mktoButtonWrap.mktoSimple .mktoButton:active {
background-color: #75ae4c;
background-image: -webkit-gradient(linear, left top, left bottom, from(#75ae4c), to(#99c47c));
background-image: -webkit-linear-gradient(top, #75ae4c, #99c47c);
background-image: -moz-linear-gradient(top, #75ae4c, #99c47c);
background-image: linear-gradient(to bottom, #75ae4c, #99c47c);
}
</style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><input id="Email" name="Email" placeholder="Email Address " maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset" style="width: 10px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 10px;"></div><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true" style="width: 250px;">
<option value="">Country *</option>
<option value="United States">United States</option>
<option value="Canada">Canada</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Germany">Germany</option>
<option value="France">France</option>
<option value="Australia">Australia</option>
<option value="Japan">Japan</option>
<option value="Aland Islands">Aland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="American Samoa">American Samoa</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antarctica">Antarctica</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia">Bolivia</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Indian Ocean Territory">British Indian Ocean Territory</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Canada">Canada</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo">Congo</option>
<option value="Congo The Democratic Republic of The">Congo The Democratic Republic of The</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote D'Ivoire (Ivory Coast)">Cote D'Ivoire (Ivory Coast)</option>
<option value="Croatia (Hrvatska)">Croatia (Hrvatska)</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islands (Malvinas)">Falkland Islands (Malvinas)</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="France">France</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Germany">Germany</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guam">Guam</option>
<option value="Guatemala">Guatemala</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard and McDonald Islands">Heard and McDonald Islands</option>
<option value="Holy See (Vatican City State)">Holy See (Vatican City State)</option>
<option value="Honduras">Honduras</option>
<option value="Hong Kong">Hong Kong</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Korea Republic of (South)">Korea Republic of (South)</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Lao People's Democratic Republic">Lao People's Democratic Republic</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macau">Macau</option>
<option value="Macedonia">Macedonia</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Marshall Islands">Marshall Islands</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Micronesia Federated States of">Micronesia Federated States of</option>
<option value="Moldova Republic of">Moldova Republic of</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="Netherlands Antilles">Netherlands Antilles</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="Northern Mariana Islands">Northern Mariana Islands</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palau">Palau</option>
<option value="Palestinian Territory Occupied">Palestinian Territory Occupied</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn">Pitcairn</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Puerto Rico">Puerto Rico</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Reunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Saint Helena">Saint Helena</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Georgia and The South Sandwich Island">South Georgia and The South Sandwich Island</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard and Jan Mayen Islands">Svalbard and Jan Mayen Islands</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Taiwan">Taiwan</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania United Republic of">Tanzania United Republic of</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="United Kingdom">United Kingdom</option>
<option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela">Venezuela</option>
<option value="Viet Nam">Viet Nam</option>
<option value="Virgin Islands (British)">Virgin Islands (British)</option>
<option value="Virgin Islands (U.S.)">Virgin Islands (U.S.)</option>
<option value="Wallis and Futuna Islands">Wallis and Futuna Islands</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoPlaceholder mktoPlaceholderState"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderMarketing_Opt_in__c"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoOffset mktoHasWidth" style="width: 10px;"></div>
<div class="mktoFieldWrap">
<div class="mktoHtmlText mktoHasWidth" style="width: 260px;"><span style="font-size: 10px;">By submitting this form, I understand Snowflake will process my personal information in accordance with their
<strong><a href="https://www.snowflake.com/privacy-policy/" target="_blank">Privacy Notice</a></strong>. Additionally, I consent to my information being shared with Event Partners in accordance with Snowflake’s
<strong><a href="https://www.snowflake.com/legal/snowflake-event-privacy-notice/" target="_blank" id="">Event Privacy Notice</a></strong>. I understand I may withdraw my consent or update my preferences
<strong><a href="https://info.snowflake.com/2020-Snowflake-Preference-Center.html" target="_blank" id="">here</a></strong> at any time.</span></div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_adgroup__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="https://community.snowflake.com/s/article/Snowflake-Security-Overview-and-Best-Practices" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utm_region__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Subscribe Now</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="4014"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="252-RFO-227"><input type="hidden" name="formFillCompanyName" class="mktoField mktoFieldDescriptor" value=""><input type="hidden"
name="formFillFirstName" class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="formFillLastName" class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="formfillEmailAddress"
class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="formFillJob_Function__c" class="mktoField mktoFieldDescriptor" value=""><input type="hidden" name="formFillJobTitle" class="mktoField mktoFieldDescriptor" value=""><input
type="hidden" name="formFillRole" class="mktoField mktoFieldDescriptor" value="">
</form><form class="mktoForm1 mktoForm mktoHasWidth mktoLayoutLeft" data-aura-rendered-by="194:0" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Loading
×Sorry to interrupt
CSS Error
Refresh
* Home
* User Groups
* Discussions
* Snowflake Forums
* StackOverflow
* Reddit
* Community Leaders
* Data Superheroes
* Snowflake Squad
* Support
* Knowledge Base
* Documentation
* Status
* Releases & Announcements
* Resources
* Developers
* Education & Training
* Blog
* Ideas Board
* Partner Portal
* Start For Free
* Snowcases
* More
CREATE ACCOUNTSIGN IN
KNOWLEDGE BASE ARTICLES
SearchLoading
Can't find what you're looking for? Ask The Community
SNOWFLAKE SECURITY OVERVIEW AND BEST PRACTICES
April 26, 2024
Solution
INTRODUCTION
This document provides an overview of security features and best practice
guidelines for securing your data in Snowflake.
Snowflake secures customer data using defense in depth with three security
layers.
* Network Security
* IAM
* Data Encryption
After setting up the security controls, you can monitor them using the
guidelines listed under the Monitoring section.
NETWORK SECURITY
Network security or isolation provides the first line of defense. The network
security best practices are as follows:
* Use network policies
* Use private connectivity with Snowflake.
* Allow firewall to connect client applications to Snowflake.
* Allow Snowflake to access your cloud storage location for loading/unloading
data.
Use network policies to allow “known” client locations (IP ranges) to connect to
your Snowflake account while blocking others. Additionally, if you’re using
service account users to connect from a client application, SCIM, or Snowflake
OAuth integrations, check if you need to configure different network policies
(SCIM network policy, OAuth network policy) that overrides the account level
network policy.
Use private connectivity with Snowflake by connecting to Snowflake over a
private IP address using cloud service providers' private connectivity such as
AWS PrivateLink or Azure Private Link. With this feature, your Snowflake account
appears as a resource in your network. Here’re a few best practices to consider
when using this feature.
* You’re responsible for setting up DNS to resolve Snowflake's private URL.
Using private DNS in your cloud provider network is the best practice as it
allows Snowflake account to be resolved from clients running both in the
cloud provider network and on-premises. You can then create a DNS forwarding
rule for the Snowflake account in your on-premise DNS.
* After you’ve configured private connectivity, if you want to block access to
the public endpoint, then you can create an account level network policy
allowing only your network’s private IP range to connect into Snowflake.
* If you want to allow client applications running outside your network to
connect into Snowflake, then they would be connecting to your account over a
public endpoint. To allow access, based on the use case, you can add the
client application’s IP range to the allowed list of account level, user
level, or OAuth integration network policy.
Allow firewall to connect client applications to Snowflake if your network has a
firewall for egress traffic.
* Run SYSTEM$ALLOWLIST and/or SYSTEM$ALLOWLIST_PRIVATELINK based on whether
you’re allowing public endpoint, the private endpoint, or both to be
accessible for your Snowflake account.
* Use SnowCD to ensure proper connectivity has been set up with Snowflake.
* If you’re using network proxy to inspect egress traffic, then set it up for
SSL passthrough. Snowflake doesn’t support SSL terminating proxies.
Allow Snowflake to access your cloud storage location for bulk loading/unloading
data using COPY by adding Snowflake VPC id for AWS and/or VNet Subnet ids for
Azure to your storage policy or firewall rules.
IDENTITY AND ACCESS MANAGEMENT
Once your Snowflake account is accessible, the next step in gaining access to
Snowflake is to authenticate the user. Users must be created in Snowflake prior
to any access. Once the user is authenticated, a session is created with roles
used to authorize access in Snowflake.
This section covers best practices for:
1. Managing users and roles
2. Authentication and single sign-on
3. Sessions
4. Object-level access control (authorization)
5. Column-level access control
6. Row-level access control
MANAGING USERS AND ROLES
Snowflake recommends using SCIM where supported by your Identity Provider to
provision and externally manage users and roles in Snowflake. Identity Providers
can be further configured to synchronize users and roles with your Active
Directory users and groups. Review the Okta SCIM and Azure AD SCIM FAQs before
integrating with these providers. If you can’t use SCIM for any reason, then
build your own AD sync tool similar to this one using a Snowflake driver.
Note: use it at your own risk as it's a community developed tool and not
maintained by Snowflake. Roles in Snowflake are hierarchical, and the best
practices for defining role hierarchies are covered in the Object level access
control section below.
PASSWORD MANAGEMENT:
Snowflake recommends using federated single sign-on (SSO) while using passwords
for only certain use cases such as for service accounts and users with the
Snowflake ACCOUNTADMIN system role. For such cases, the password management best
practices are as follows:
* Enable built-in Duo multi-factor authentication for additional security.
* Use complex and long passwords preferably managed by secrets management or
privileged access management (PAM) platforms. See example for how to use
Hashicorp Vault with Snowflake.
* Rotate passwords at regular intervals. While password expiry is not currently
supported by Snowflake, you can use secrets management or privileged access
management (PAM) platforms to force password change at regular intervals.
Monitor password use in your Snowflake account by:
1. Querying users who have the has_password column set.
2. Querying login_history first_authentication_factor column.
3. Identify a user with ACCOUNTADMIN role for password resets as self-service
password reset is not currently supported except for trial accounts. If the
ACCOUNTADMIN forgets their password, then contact Snowflake support for a
password reset.
4. For users who don’t require a password in Snowflake, set the password
property to null. This will ensure that the password as an authentication
method isn’t available to those users, and they can’t set the password
themselves.
5. Review this FAQ.
AUTHENTICATION AND SINGLE SIGN-ON (SSO)
Snowflake supports multiple authentication methods based on the interface used,
such as client applications using drivers, UI, or Snowpipe.
* Snowflake Clients (drivers and SnowSQL) support username/password, OAuth,
keypair, external browser, and Okta native authentication.
* Snowflake supports two types of OAuth:
* Snowflake OAuth where it accepts tokens from a built-in OAuth server
* External OAuth where it accepts tokens from a 3rd party OAuth server
* External Browser authentication only works for client applications running on
a user's machine. It must have browser access, as the driver opens up the
system browser redirecting the user to the Snowflake login page for
authentication.
* Okta native authentication, as the name suggests, only works with Okta and
has limitations such as MFA, which must be turned off for the user in Okta.
This is a legacy method and is recommended to use only when the client
application supports this method and hasn’t added support for OAuth yet.
* Snowflake UI supports password and federated authentication using SAML.
* If you’re using Snowpipe for data ingestion, then it supports keypair
authentication.
* Single sign-on (SSO) from client apps is achieved using SAML, OAuth, External
Browser, and Okta native authentication methods.
Snowflake allows a user to use multiple authentication methods. For example, a
user can authenticate with both password and SAML. Based on the client
applications you use to connect into Snowflake and their capabilities, you may
have to allow multiple authentication methods in your account.
Authentication best practices
Snowflake recommends creating a spreadsheet listing all the client applications
connecting to Snowflake and their authentication capabilities. If the app
supports multiple authentication methods, then use the method in the below
priority order.
Preference #1: OAuth (either Snowflake OAuth or External OAuth)
Preference #2: External Browser, if it's a desktop application that doesn’t
support OAuth
Preference #3: Okta native authentication, if you’re using Okta, and the app
supports this method while not supporting OAuth or external browser
authentication yet.
Preference #4: Key Pair Authentication, mostly used for service account users.
Since this requires the client application to manage private keys, complement it
with your internal key management software.
Preference #5: Password, this should be the last option for applications that
don’t support any of the above options. This option is commonly used for service
account users connecting from 3rd party ETL apps.
Here’re few other best practice recommendations:
* For homegrown applications, ask developers to support Snowflake OAuth or
External OAuth. If it's a programmatic client application with no access to
the browser, you can only use External OAuth as Snowflake OAuth requires
browser redirect capabilities.
* For SnowSQL and other desktop tools, ask users to use external browser
authentication.
* Querying as end-users vs. service account users: if you’re connecting into
Snowflake using a service account because of client application capabilities
or other reasons, and you still want to track the end user submitting the
query, then you can pass the end-user details through the query_tag in the
session. Be aware that this can easily be spoofed, so check with your
security team before implementing it.
MULTI-FACTOR AUTHENTICATION (MFA)
Snowflake recommends always using MFA as it provides an additional layer of
security for user access. There are two ways to enable it for your Snowflake
account.
1. Enable it in your identity provider: Users are prompted for MFA when
Snowflake redirects the user to the identity provider for authentication.
This is a preferred mechanism to use MFA as it allows you to bring your own
(BYO) MFA. It works with SAML, OAuth, and External Browser authentication.
Additionally, it provides ease of use for end-users as they need to have a
single MFA application to manage for accessing Snowflake and other company
resources.
2. Built-in Duo MFA: Snowflake offers a built-in MFA powered by Duo Security.
Use it only when you are not integrating with an Identity Provider.
SESSIONS
Once the user is authenticated, Snowflake creates a database session for the
user. The client application can then use the session to submit queries into
Snowflake. Each session has a 4 hrs of idle (inactivity) timeout. Using a
session, new child sessions can be created. For example, the Snowflake classic
UI creates child sessions, one per worksheet. The session management best
practices are as follows:
* Reuse sessions
* Close connection when no longer required
* Avoid using CLIENT_SESSION_KEEP_ALIVE
* Monitor session usage
Reuse existing sessions from your client applications to receive the best
performance, and avoid delays due to new session creation.
Close your client application's connection when no longer required (e.g.,
calling con.close() for the python driver).
Avoid using session parameter CLIENT_SESSION_KEEP_ALIVE to true unless necessary
for the use case. By default, Snowflake closes the session after an idle
timeout. Still, if this parameter is set to TRUE, then the session remains
active indefinitely as long as the connection is active. Too many sessions
created with this parameter set to true puts stress on resources and can lead to
poor performance.
Monitor session usage through the account_usage.sessions view.
OBJECT-LEVEL ACCESS CONTROL
Roles are used for authorizing access to objects, such as tables, views, and
functions, in Snowflake. Roles can contain other roles and have hierarchies.
When a database session is created for a user, the primary role is associated
with the session. All roles under the hierarchy of the primary role get
activated in the session to perform the authorization. Take time to establish a
proper role hierarchy model upfront.
Snowflake recommends following best practices for access control in addition to
reviewing the access control considerations section of Snowflake documentation:
* Define functional roles and access roles
* Avoid granting access roles to other access roles
* Use future grants
* Set default_role property for the user
* Create a role per user for cross-database join use cases
* Use managed access schema to centralize grant management
Define two types of logical roles:
* functional roles
* access roles
A functional role hierarchy contains only users or other functional roles, while
access roles contain only privileges. Then you would grant access roles to the
functional roles. This strategy would allow the functional role hierarchy to
mimic your AD group hierarchy. You can keep in sync using external tools as
covered in the “Managing users and roles” section above.
Do not grant access roles to other access roles. This will help prevent
unnecessary role hierarchies that can lead to a suboptimal performance at login
time. Instead, grant the privileges directly to the access roles. In the above
example, grant the USAGE privilege on the database directly to the DB1_RO,
DB1_RW, and DB1_ADMIN roles.
Simplify grant management using higher-level access roles and future grants at
the database and/or schema level. For example, as described in the above
diagram, you can start with 3 access roles at the database level:
* DB1_RO (for read-only access)
* DB1_RW (for read-write access)
* DB1_ADMIN (for admin tasks)
Next, assign various privileges to these access roles and then define them as
database-level future grants. When new objects are created, then appropriate
privileges are automatically assigned to them.
Use the default_role property for the user, and set it to their functional role.
If you have cross-database joins, such as between a sales database and a
marketing database for many databases in an account, then consider creating a
role per user instead of creating multiple roles on top of the database roles as
the permutations can lead to role explosion that may become difficult to
manage.
To prevent object owners from granting access to other roles at their
discretion, use managed access schemas. It prevents discretionary access
control and centralizes grant management.
COLUMN-LEVEL ACCESS CONTROL
If you want to restrict access to sensitive information present in certain
columns such as PII, PHI, or financial data, then Snowflake recommends using the
following data governance features that allow you to restrict column access for
unauthorized users.
1. Dynamic Data Masking: this is a built-in feature that can dynamically
obfuscate column data based on who’s querying it.
2. External Tokenization: integrates with partner solutions to detokenize data
at query time for authorized users.
3. Secure Views: you can hide the columns entirely from unauthorized users.
Both Dynamic Data Masking and External Tokenization use masking policies to
restrict sensitive data access to authorized users. In addition to reviewing the
considerations section of the documentation, Snowflake recommends following best
practices for masking policies:
* Determine up-front if you want to take a centralized vs. decentralized
approach for policy management.
* Use invoker_role() in policy condition for unauthorized users to view
aggregate data while unable to view individual data.
* Avoid using the SHA2 function in the policy to allow joins on protected
columns for unauthorized users since it can lead to unintended query results.
Determine up-front if your organization wants to centralize masking policy
management or decentralize it to individual database owning teams.
If you want to allow unauthorized users to view aggregate information (such as
sum, count) on protected columns, but disallow access to individual data, then
create a view with aggregated data represented as a column, and apply masking
policy on the underlying table column using the invoker_role() function in the
policy condition.
If you want to allow unauthorized users to perform joins on protected columns in
a query, then use external tokenization instead of dynamic data masking. For
this use case, do not use SHA2 cryptographic hash functions with dynamic data
masking policies as hash functions can have collisions, however rare they might
be. See here. Alternatively, you can use Snowflake’s built-in encryption
functions (encrypt / decrypt and encrypt_raw / decrypt_raw) that don’t suffer
from SHA2 collision issues..
ROW-LEVEL ACCESS CONTROL
You may have tables with mixed data to restrict access to certain rows to only
certain users. For example, you may want to restrict the visibility of rows
based on the user’s country, such as US employees can only view US order data,
while French employees can only view order data from France. To solve this
problem, you can create secure views using the CURRENT_ROLE() or CURRENT_USER()
context functions to dynamically filter rows for the user querying the view. See
here.
DATA ENCRYPTION
All data stored in Snowflake is transparently encrypted using a key hierarchy
(with cloud HSM backed root of trust), which provides enhanced security by
encrypting individual pieces of data using a different key. Snowflake also
offers the use of a customer-managed key (CMK) in this encryption process
through a feature called Tri-Secret Secure. Independent of the Tri-secret secure
feature, Snowflake rotates the keys every 30 days, ensuring that new data
ingested after 30 days is encrypted using a new key hierarchy.
The data encryption best practices are as follows:
* Use Tri-Secret secure and review AWS Tri-Secret Secure and Azure Tri-Secret
Secure FAQs.
* Use automatic key rotation for the CMK as provided by the cloud provider
(such as AWS KMS). If, for any reason, you need to manually change your CMK,
then contact Snowflake support for assistance.
* Remember to enable Tri-Secret Secure in the target account when using the
Replication feature to replicate a database to another account.
* Enable periodic rekeying in Snowflake if your organization requires rekeying
of data at regular intervals
* If you want to encrypt/decrypt certain columns in addition to the transparent
encryption provided by Snowflake, then use the built-in encryption functions.
PREVENT DATA EXFILTRATION
Follow the best practices described in the below blog post related to external
stage configurations to prevent data exfiltration from your Snowflake account.
How to Configure a Snowflake Account to Prevent Data Exfiltration
MONITORING
You can monitor the usage of Snowflake to meet your organization’s audit and
compliance requirements.
Every Snowflake account comes with a system-defined, read-only shared database
named SNOWFLAKE. It has a schema named ACCOUNT_USAGE containing views that
provide access to one year of audit logs. You can use the following views for
audit purposes.
* LOGIN_HISTORY: contains the log of every connection established with
Snowflake. You can determine who logged in from where and using what
authentication method.
* QUERY_HISTORY: contains the log of every query run in Snowflake. This
includes queries against both customer data and metadata such as users,
roles, and grants lifecycle.
If you need to retain audit logs for more than one year, you can:
* move them into custom tables of your Snowflake account (see SnowAlert), or
* move them outside of Snowflake into your SIEM or other security solutions.
Get detailed info for usersYou can get detailed information on current users
using the USERS account_usage view. With this view, you can query for:
* Users that have passwords in Snowflake (where HAS_PASSWORD = true)
* Users with passwords in Snowflake, if they are changing the password at
regular intervals to remain compliant (where PASSWORD_LAST_SET_TIME
> dateadd(day, -90, CURRENT_TIMESTAMP() -- hasn’t changed in the last 90
days).
* Users using keypair authentication (where HAS_RSA_PUBLIC_KEY = true)
* Users using SSO to connect into Snowflake (where HAS_PASSWORD != true and
HAS_RSA_PUBLIC_KEY != true)
* Users created in the last 30 days (where CREATED_ON > dateadd(day, -30,
CURRENT_TIMESTAMP())
* Inactive users (where LAST_SUCCESS_LOGIN > dateadd(day, -30,
CURRENT_TIMESTAMP() -- haven’t used Snowflake in the last 30 days)
* Disabled users (where DISABLED = true)
Who has access to what?
To determine who has access to what objects (tables, views, etc.) in Snowflake,
join the GRANTS_TO_ROLES and GRANTS_TO_USERS account_usage views. You would have
to create a recursive query to get this info, as roles are hierarchical in
nature. You can also visualize the role hierarchy by following this blog post.
Query the ROLES view to get information on when they were created or deleted.
How was the user authenticated when performing a certain query?
For a given query, if you want to know how the user was authenticated, you can
join QUERY_HISTORY and SESSIONS views on SESSION_ID.
SUMMARY
The security best practices mentioned above will help you protect your data and
your business’s reputation. Remember that security is a moving target, and the
cybercriminals get more advanced every day. So, most importantly, stay current
on the latest trends for attacks and the newest prevention technology. For help
implementing the best practices in this article, contact Snowflake Support.
Was this article helpful?
YesNo
HELPFUL LINKS
Support Portal Case Submission Updates
Snowflake Global Support Phone Numbers
Snowflake Status Page
Release Notes
Behavior Changes
MOST VIEWED
* COPY_HISTORY View (Account Usage): "Load in progress" No Longer Shown in
STATUS Column
* SESSIONS and LOGIN_HISTORY Views (Account Usage): Events from Internal Users
Removed from Views
* Data Sharing Usage Views: Changes to Column in Views
* USERS View (Account Usage): New Column in View
* QUERY_HISTORY View (Account Usage): New Columns
Nothing found
Loading
* RESOURCES
* Documentation
* Educational Services
* Snowflake University
* Get Started in the Snowflake Community
* Knowledge Base
* PRODUCTS
* Overview
* Architecture
* Security
* Pricing
* ABOUT
* About Snowflake
* Team
* Board
* Careers
Sign Up for snowflake communications
*
*
Country *United StatesCanadaUnited KingdomGermanyFranceAustraliaJapanAland
IslandsAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and
BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBosnia
and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei
DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman
IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling)
IslandsColombiaComorosCongoCongo The Democratic Republic of TheCook IslandsCosta
RicaCote D'Ivoire (Ivory Coast)Croatia (Hrvatska)CyprusCzech
RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl
SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe
IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern
TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuineaGuinea-BissauGuyanaHaitiHeard
and McDonald IslandsHoly See (Vatican City State)HondurasHong
KongHungaryIcelandIndiaIndonesiaIraqIrelandIsle of
ManIsraelItalyJamaicaJapanJordanKazakhstanKenyaKiribatiKorea Republic of
(South)KuwaitKyrgyzstanLao People's Democratic
RepublicLatviaLebanonLesothoLiberiaLiechtensteinLithuaniaLuxembourgMacauMacedoniaMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall
IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia Federated States
ofMoldova Republic
ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueNamibiaNauruNepalNetherlandsNetherlands
AntillesNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorthern
Mariana IslandsNorwayOmanPakistanPalauPalestinian Territory OccupiedPanamaPapua
New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto
RicoQatarReunionRomaniaRussian FederationSaint HelenaSaint Kitts and NevisSaint
LuciaSaint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao
Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra
LeoneSingaporeSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia
and The South Sandwich IslandSpainSri LankaSurinameSvalbard and Jan Mayen
IslandsSwazilandSwedenSwitzerlandTaiwanTajikistanTanzania United Republic
ofThailandTimor-LesteTogoTokelauTongaTrinidad and
TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited
Arab EmiratesUnited KingdomUnited States Minor Outlying
IslandsUruguayUzbekistanVanuatuVenezuelaViet NamVirgin Islands (British)Virgin
Islands (U.S.)Wallis and Futuna IslandsWestern SaharaYemenZambiaZimbabwe
By submitting this form, I understand Snowflake will process my personal
information in accordance with their Privacy Notice. Additionally, I consent to
my information being shared with Event Partners in accordance with Snowflake’s
Event Privacy Notice. I understand I may withdraw my consent or update my
preferences here at any time.
Subscribe Now
Privacy Notice | Site Terms | Cookies Settings | Do not Share My personal
Information
© 2024 Snowflake Inc. All Rights Reserved | If you'd rather not receive future
emails from Snowflake,
unsubscribe here or customize your communication preferences
*
*
*
*
Loading
SNOWFLAKE'S USE OF COOKIES
We use cookies to enhance your experience, to display customized content, and to
analyze site traffic. By clicking "Accept Cookies" or closing this banner, you
provide your consent to our use of cookies. To learn more about the cookies we
use and to set your own preferences, see ourCookie Statement.
Cookies Settings Reject All Accept All Cookies
PRIVACY PREFERENCE CENTER
Your Opt Out Preference Signal is Honored
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* PERFORMANCE COOKIES
* FUNCTIONAL COOKIES
* TARGETING COOKIES
YOUR PRIVACY
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off. They are usually only set in response to actions made by you which amount
to a request for services, such as setting your privacy preferences, logging in
or filling in forms. You can set your browser to block or alert you about these
cookies, but some parts of the site will not then work. These cookies do not
store any personally identifiable information.
Cookies Details
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
Cookies Details
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then
some or all of these services may not function properly.
Cookies Details
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly identifiable
personal information, but are based on uniquely identifying your browser and
internet device. If you do not allow these cookies, you will experience less
targeted advertising.
Cookies Details
Back Button
COOKIE LIST
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All