| 1.1 Ensure single sign-on (SSO) is configured for your account / organization | ACCESS CONTROL |
| 1.3 Ensure that Snowflake password is unset for SSO users | IDENTIFICATION AND AUTHENTICATION |
| 1.4 Ensure multi-factor authentication (MFA) is turned on for all human users with password-based authentication | IDENTIFICATION AND AUTHENTICATION |
| 1.5 Ensure minimum password length is set to 14 characters or more | IDENTIFICATION AND AUTHENTICATION |
| 1.6 Ensure that service accounts use key pair authentication | IDENTIFICATION AND AUTHENTICATION |
| 1.7 Ensure authentication key pairs are rotated every 180 days | IDENTIFICATION AND AUTHENTICATION |
| 1.8 Ensure that users who did not log in for 90 days are disabled | ACCESS CONTROL |
| 1.9 Ensure that the idle session timeout is set to 15 minutes or less for users with the ACCOUNTADMIN and SECURITYADMIN roles | ACCESS CONTROL |
| 1.10 Limit the number of users with ACCOUNTADMIN and SECURITYADMIN | ACCESS CONTROL |
| 1.11 Ensure that all users granted the ACCOUNTADMIN role have an email address assigned | ACCESS CONTROL |
| 1.12 Ensure that no users have ACCOUNTADMIN or SECURITYADMIN as the default role | ACCESS CONTROL |
| 1.13 Ensure that the ACCOUNTADMIN or SECURITYADMIN role is not granted to any custom role | ACCESS CONTROL |
| 1.14 Ensure that Snowflake tasks are not owned by the ACCOUNTADMIN or SECURITYADMIN roles | ACCESS CONTROL |
| 1.15 Ensure that Snowflake tasks do not run with the ACCOUNTADMIN or SECURITYADMIN role privileges | ACCESS CONTROL |
| 1.16 Ensure that Snowflake stored procedures are not owned by the ACCOUNTADMIN or SECURITYADMIN roles | ACCESS CONTROL |
| 1.17 Ensure Snowflake stored procedures do not run with ACCOUNTADMIN or SECURITYADMIN role privileges | ACCESS CONTROL |
| 2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants | AUDIT AND ACCOUNTABILITY |
| 2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants | AUDIT AND ACCOUNTABILITY |
| 2.3 Ensure monitoring and alerting exist for password sign-ins of SSO users | AUDIT AND ACCOUNTABILITY |
| 2.4 Ensure monitoring and alerting exist for password sign-in without MFA | AUDIT AND ACCOUNTABILITY |
| 2.5 Ensure monitoring and alerting exist for creation, update and deletion of security integrations | AUDIT AND ACCOUNTABILITY |
| 2.6 Ensure monitoring and alerting exist for changes to network policies and associated objects | AUDIT AND ACCOUNTABILITY |
| 2.7 Ensure monitoring and alerting exist for SCIM token creation | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure monitoring and alerting exists for new share exposures | AUDIT AND ACCOUNTABILITY |
| 3.2 Ensure that user-level network policies have been configured for service accounts | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.2 Ensure AES encryption key size used to encrypt files stored in internal stages is set to 256 bits | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5 Ensure that the REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION account parameter is set to true | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.6 Ensure that the REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION account parameter is set to true | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.7 Ensure that all external stages have storage integrations | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.8 Ensure that the PREVENT_UNLOAD_TO_INLINE_URL account parameter is set to true | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
