Assess Snowflake Security with cnspec
Secure and enforce policy for your Snowflake accounts
Rely on cnspec to ensure your Snowflake accounts follow security best practices, such as verifying user authentication policies, checking network access rules, and auditing role and privilege configurations.
Prerequisites
To test your Snowflake account with cnspec, you must have:
- cnspec installed on your workstation
- A Snowflake account with a role that has read access to account-level configuration (such as
ACCOUNTADMINorSECURITYADMIN)
Give cnspec access to your Snowflake account
cnspec connects to Snowflake using standard account credentials. You need:
- Your Snowflake account identifier
- Your Snowflake region
- A user with a role that has sufficient privileges to read account-level configuration (such as
ACCOUNTADMINorSECURITYADMIN)
To test access with password authentication, open a cnspec shell:
cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-passTo authenticate with an RSA key pair instead of a password (to learn how to set up key-pair authentication, read Key-pair authentication and key-pair rotation in the Snowflake documentation):
cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --private-key PATH-TO-KEYYou can also set environment variables to avoid passing credentials on every command:
export SNOWFLAKE_ACCOUNT=ACCOUNT-ID
export SNOWFLAKE_REGION=REGION
export SNOWFLAKE_USER=YOUR-USER-ID
export SNOWFLAKE_ROLE=YOUR-ROLE
cnspec shell snowflake --ask-passScan your Snowflake account
To scan your Snowflake account:
cnspec scan snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-passConnection options
| Option | Description |
|---|---|
--account | Snowflake account identifier |
--region | Snowflake region |
--user | Username for authentication |
--role | Snowflake role to use for the session |
--ask-pass | Prompt for the password |
Explore your Snowflake account
Run cnspec shell snowflake (with the required flags above) to open the interactive shell.
List all users
cnspec> snowflake.account.users
snowflake.account.users: [
0: snowflake.user name="STELLA"
1: snowflake.user name="MWEZI"
2: snowflake.user name="SNOWFLAKE"
]Find users without MFA
cnspec> snowflake.account.users.where(extAuthnDuo == false)
snowflake.account.users.where: [
0: snowflake.user name="MWEZI"
1: snowflake.user name="SNOWFLAKE"
]Find users with certificate authentication
cnspec> snowflake.account.users.where(hasRsaPublicKey)
snowflake.account.users.where: [
0: snowflake.user name="STELLA"
]List all databases
cnspec> snowflake.account.databases
snowflake.account.databases: [
0: snowflake.database name="MARS_SAMPLES"
1: snowflake.database name="SECURITY_EXPORTS"
2: snowflake.database name="VELOCITY"
]Example security checks
Ensure MFA is enabled for all active users
cnspec> snowflake.account.users.where(disabled == false).all(extAuthnDuo == true)
[ok] value: trueEnsure network policies are configured
cnspec> snowflake.account.networkPolicies.length > 0
[ok] value: trueEnsure password policies enforce minimum length
cnspec> snowflake.account.passwordPolicies.all(passwordMinLength >= 14)
[ok] value: trueEnsure password policies enforce password history
cnspec> snowflake.account.passwordPolicies.all(passwordHistory >= 5)
[ok] value: trueEnsure databases have Time Travel retention configured
cnspec> snowflake.account.databases.all(retentionTime > 0)
[ok] value: trueList users with password authentication
cnspec> snowflake.account.users.where(hasPassword) { name email lastSuccessLogin }Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
Explore the complete Mondoo Snowflake Resource Pack Reference.