Secure Snowflake with cnspec
Scan Snowflake accounts against security and compliance best practices with cnspec.
Scan your Snowflake accounts to find security risks before they become incidents. cnspec evaluates user authentication policies, network access rules, role and privilege configurations, password policies, and dozens of other Snowflake controls.
Prerequisites
To scan a Snowflake account with cnspec, you must have:
- cnspec installed on your workstation
- A Snowflake account with a role that has read access to account-level configuration (such as
ACCOUNTADMINorSECURITYADMIN)
Authenticate
cnspec connects to Snowflake using standard account credentials. You need:
- Your Snowflake account identifier
- Your Snowflake region
- A user with a role that has sufficient privileges to read account-level configuration (such as
ACCOUNTADMINorSECURITYADMIN)
Connection options
| Option | Description |
|---|---|
--account | Snowflake account identifier |
--region | Snowflake region |
--user | Username for authentication |
--role | Snowflake role to use for the session |
--ask-pass | Prompt for the password |
You can also set environment variables to avoid passing credentials on every command:
export SNOWFLAKE_ACCOUNT=ACCOUNT-ID
export SNOWFLAKE_REGION=REGION
export SNOWFLAKE_USER=YOUR-USER-ID
export SNOWFLAKE_ROLE=YOUR-ROLEVerify with a quick Snowflake check
Confirm that cnspec can reach your Snowflake account by opening a cnspec shell:
cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-passTo authenticate with an RSA key pair instead of a password, see Key-pair authentication and key-pair rotation in the Snowflake documentation:
cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --private-key PATH-TO-KEYScan Snowflake
cnspec scan snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-passScan with the Mondoo Snowflake Security policy
Mondoo maintains an out-of-the-box Snowflake Security policy that checks user authentication, network policies, password requirements, and more.
Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Snowflake", and add the policy. To learn more, read Manage Policies.
Open source users: Pass the policy bundle URL directly to cnspec:
cnspec scan snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass \
--policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-snowflake-security.mql.yamlYou can also create your own policies to meet your specific requirements.
Explore and test checks interactively
Open a cnspec shell to discover resources and try out checks.
List all users
cnspec> snowflake.account.users
snowflake.account.users: [
0: snowflake.user name="STELLA"
1: snowflake.user name="MWEZI"
2: snowflake.user name="SNOWFLAKE"
]Find users without MFA
cnspec> snowflake.account.users.where(extAuthnDuo == false)Find users with certificate authentication
cnspec> snowflake.account.users.where(hasRsaPublicKey)List all databases
cnspec> snowflake.account.databasesExample security checks
Ensure MFA is enabled for all active users
cnspec> snowflake.account.users.where(disabled == false).all(extAuthnDuo == true)
[ok] value: trueEnsure network policies are configured
cnspec> snowflake.account.networkPolicies.length > 0
[ok] value: trueEnsure password policies enforce minimum length
cnspec> snowflake.account.passwordPolicies.all(passwordMinLength >= 14)
[ok] value: trueEnsure password policies enforce password history
cnspec> snowflake.account.passwordPolicies.all(passwordHistory >= 5)
[ok] value: trueEnsure databases have Time Travel retention configured
cnspec> snowflake.account.databases.all(retentionTime > 0)
[ok] value: trueLearn more
- Snowflake Resource Pack Reference: every Snowflake resource and field cnspec can query
- Write Effective MQL: guide to authoring checks and queries