1.1 Ensure single sign-on (SSO) is configured for your account / organization | ACCESS CONTROL |
1.3 Ensure that Snowflake password is unset for SSO users | IDENTIFICATION AND AUTHENTICATION |
1.4 Ensure multi-factor authentication (MFA) is turned on for all human users with password-based authentication | IDENTIFICATION AND AUTHENTICATION |
1.5 Ensure minimum password length is set to 14 characters or more | IDENTIFICATION AND AUTHENTICATION |
1.6 Ensure that service accounts use key pair authentication | IDENTIFICATION AND AUTHENTICATION |
1.7 Ensure authentication key pairs are rotated every 180 days | IDENTIFICATION AND AUTHENTICATION |
1.8 Ensure that users who did not log in for 90 days are disabled | ACCESS CONTROL |
1.9 Ensure that the idle session timeout is set to 15 minutes or less for users with the ACCOUNTADMIN and SECURITYADMIN roles | ACCESS CONTROL |
1.10 Limit the number of users with ACCOUNTADMIN and SECURITYADMIN | ACCESS CONTROL |
1.11 Ensure that all users granted the ACCOUNTADMIN role have an email address assigned | ACCESS CONTROL |
1.12 Ensure that no users have ACCOUNTADMIN or SECURITYADMIN as the default role | ACCESS CONTROL |
1.13 Ensure that the ACCOUNTADMIN or SECURITYADMIN role is not granted to any custom role | ACCESS CONTROL |
1.14 Ensure that Snowflake tasks are not owned by the ACCOUNTADMIN or SECURITYADMIN roles | ACCESS CONTROL |
1.15 Ensure that Snowflake tasks do not run with the ACCOUNTADMIN or SECURITYADMIN role privileges | ACCESS CONTROL |
1.16 Ensure that Snowflake stored procedures are not owned by the ACCOUNTADMIN or SECURITYADMIN roles | ACCESS CONTROL |
1.17 Ensure Snowflake stored procedures do not run with ACCOUNTADMIN or SECURITYADMIN role privileges | ACCESS CONTROL |
2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants | AUDIT AND ACCOUNTABILITY |
2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants | AUDIT AND ACCOUNTABILITY |
2.3 Ensure monitoring and alerting exist for password sign-ins of SSO users | AUDIT AND ACCOUNTABILITY |
2.4 Ensure monitoring and alerting exist for password sign-in without MFA | AUDIT AND ACCOUNTABILITY |
2.5 Ensure monitoring and alerting exist for creation, update and deletion of security integrations | AUDIT AND ACCOUNTABILITY |
2.6 Ensure monitoring and alerting exist for changes to network policies and associated objects | AUDIT AND ACCOUNTABILITY |
2.7 Ensure monitoring and alerting exist for SCIM token creation | AUDIT AND ACCOUNTABILITY |
2.8 Ensure monitoring and alerting exists for new share exposures | AUDIT AND ACCOUNTABILITY |
3.2 Ensure that user-level network policies have been configured for service accounts | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.2 Ensure AES encryption key size used to encrypt files stored in internal stages is set to 256 bits | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.5 Ensure that the REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION account parameter is set to true | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
4.6 Ensure that the REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION account parameter is set to true | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
4.7 Ensure that all external stages have storage integrations | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
4.8 Ensure that the PREVENT_UNLOAD_TO_INLINE_URL account parameter is set to true | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY |