Mondoo
Docs
SaaS

Assess Snowflake Security with cnspec

Secure and enforce policy for your Snowflake accounts

Rely on cnspec to ensure your Snowflake accounts follow security best practices, such as verifying user authentication policies, checking network access rules, and auditing role and privilege configurations.

Before you begin

Before you start, install cnspec.

Give cnspec access to your Snowflake account

cnspec connects to Snowflake using standard account credentials. You need:

  • Your Snowflake account identifier
  • Your Snowflake region
  • A user with a role that has sufficient privileges to read account-level configuration (such as ACCOUNTADMIN or SECURITYADMIN)

To test access, open a cnspec shell:

cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass

You can also set environment variables to avoid passing credentials on every command:

export SNOWFLAKE_ACCOUNT=ACCOUNT-ID
export SNOWFLAKE_REGION=REGION
export SNOWFLAKE_USER=YOUR-USER-ID
export SNOWFLAKE_ROLE=YOUR-ROLE
cnspec shell snowflake --ask-pass

Scan your Snowflake account

To scan your Snowflake account:

cnspec scan snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass

Connection options

OptionDescription
--accountSnowflake account identifier
--regionSnowflake region
--userUsername for authentication
--roleSnowflake role to use for the session
--ask-passPrompt for the password

Example checks

Run cnspec shell snowflake --account ACCOUNT-ID --region REGION --user YOUR-USER-ID --role YOUR-ROLE --ask-pass to open the cnspec interactive shell. From there you can make checks like the examples below.

Ensure MFA is enabled for all active users

cnspec> snowflake.account.users.where(disabled == false).all(extAuthnDuo == true)
[ok] value: true

Ensure network policies are configured

cnspec> snowflake.account.networkPolicies.length > 0
[ok] value: true

Ensure password policies enforce minimum length

cnspec> snowflake.account.passwordPolicies.all(passwordMinLength >= 14)
[ok] value: true

Ensure password policies enforce password history

cnspec> snowflake.account.passwordPolicies.all(passwordHistory >= 5)
[ok] value: true

Ensure databases have Time Travel retention configured

cnspec> snowflake.account.databases.all(retentionTime > 0)
[ok] value: true

List users with password authentication

cnspec> snowflake.account.users.where(hasPassword) { name email lastSuccessLogin }

Learn more

Slack

Secure and enforce policy for your Slack workspaces

Tailscale

Secure and enforce policy for your Tailscale tailnet

On this page

Before you beginGive cnspec access to your Snowflake accountScan your Snowflake accountConnection optionsExample checksEnsure MFA is enabled for all active usersEnsure network policies are configuredEnsure password policies enforce minimum lengthEnsure password policies enforce password historyEnsure databases have Time Travel retention configuredList users with password authenticationLearn more