SaaS

Secure Snowflake with cnspec

Scan Snowflake accounts against security and compliance best practices with cnspec.

Scan your Snowflake accounts to find security risks before they become incidents. cnspec evaluates user authentication policies, network access rules, role and privilege configurations, password policies, and dozens of other Snowflake controls.

If you're new to cnspec, start with the Quickstart. For an overview of every SaaS service cnspec can scan, see the SaaS scanning overview.

Prerequisites

To scan a Snowflake account with cnspec, you must have:

Authenticate

cnspec connects to Snowflake using standard account credentials. You need:

  • Your Snowflake account identifier
  • Your Snowflake region
  • A user with a role that has sufficient privileges to read account-level configuration (such as ACCOUNTADMIN or SECURITYADMIN)

Connection options

OptionDescription
--accountSnowflake account identifier
--regionSnowflake region
--userUsername for authentication
--roleSnowflake role to use for the session
--password, -pSet the connection password
--ask-passPrompt for the connection password
--identity-file, -iPath to a file containing the identity (private key) for public key authentication

You can also set environment variables to avoid passing credentials on every command:

export SNOWFLAKE_ACCOUNT=ACCOUNT-ID
export SNOWFLAKE_REGION=REGION
export SNOWFLAKE_USER=YOUR-USER-ID
export SNOWFLAKE_ROLE=YOUR-ROLE

Verify with a quick Snowflake check

Confirm that cnspec can reach your Snowflake account by opening a cnspec shell:

cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass

To authenticate with an RSA key pair instead of a password, see Key-pair authentication and key-pair rotation in the Snowflake documentation:

cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --identity-file PATH-TO-KEY

Scan Snowflake

cnspec scan snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass

When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy, along with a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues. To learn more about reading scan results, read Understand cnspec Results.

Scan with the Mondoo Snowflake Security policy

Mondoo maintains an out-of-the-box Snowflake Security policy that checks user authentication, network policies, password requirements, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo App, go to Findings > Policies, search for "Snowflake", and add the policy. To learn more, read Manage policies in Mondoo Platform.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-snowflake-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks.

List all users

cnspec> snowflake.account.users
snowflake.account.users: [
  0: snowflake.user name="STELLA"
  1: snowflake.user name="MWEZI"
  2: snowflake.user name="SNOWFLAKE"
]

Find users without MFA

cnspec> snowflake.account.users.where(extAuthnDuo == false)

Find users with certificate authentication

cnspec> snowflake.account.users.where(hasRsaPublicKey)

List all databases

cnspec> snowflake.account.databases

Example security checks

Ensure MFA is enabled for all active users

cnspec> snowflake.account.users.where(disabled == false).all(extAuthnDuo == true)
[ok] value: true

Ensure network policies are configured

cnspec> snowflake.account.networkPolicies.length > 0
[ok] value: true

Ensure password policies enforce minimum length

cnspec> snowflake.account.passwordPolicies.all(passwordMinLength >= 14)
[ok] value: true

Ensure password policies enforce password history

cnspec> snowflake.account.passwordPolicies.all(passwordHistory >= 5)
[ok] value: true

Ensure databases have Time Travel retention configured

cnspec> snowflake.account.databases.all(retentionTime > 0)
[ok] value: true

Learn more

Cloudflare

Scan Cloudflare against security and compliance best practices with cnspec.

Datadog

Scan Datadog against security and compliance best practices with cnspec.

On this page

PrerequisitesAuthenticateConnection optionsVerify with a quick Snowflake checkScan SnowflakeScan with the Mondoo Snowflake Security policyExplore and test checks interactivelyList all usersFind users without MFAFind users with certificate authenticationList all databasesExample security checksEnsure MFA is enabled for all active usersEnsure network policies are configuredEnsure password policies enforce minimum lengthEnsure password policies enforce password historyEnsure databases have Time Travel retention configuredLearn more