2.2 Ensure monitoring and alerting exist for MANAGE GRANTS privilege grants

Information

The MANAGE GRANTS privilege is one of the most powerful privileges in the Snowflake environment. This privilege gives the ability to grant or revoke privileges on any object as if the invoking role were the owner of the object.

A custom role with the MANAGE GRANTS privilege on account level will not be able to grant privileges on the account level as that privilege is implicitly reserved for the ACCOUNTADMIN and SECURITYADMIN roles. However, such custom roles will be able to grant any privileges on any objects below the account level.

Following the principle of least privilege and given how powerful the MANAGE GRANTS privilege is, any new MANAGE GRANTS privilege grants should be scrutinized.

Every new role granted the MANAGE GRANTS privilege increases the attack surface of a Snowflake environment. It may also indicate unauthorized privilege escalation performed by a threat actor.

If monitoring for MANAGE GRANTS privilege grants is not configured, inappropriate or unauthorized MANAGE GRANTS privilege grants may be missed. The latter can lead to eventual security posture degradation or late detection of an ongoing security incident.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

- Configure your monitoring task to alert on manage grants privilege grants. select end_time, query_type query_text, user_name, role_namefrom snowflake.account_usage.query_historywhere execution_status = 'SUCCESS' and query_type = 'GRANT' and regexp_instr(query_text, 'manage\\s*grants', 1, 1, 0, 'i') > 0 order by end_time desc;

Impact:

If MANAGE GRANTS privilege grants happen frequently, monitoring and alerting on this event may generate undue load on the detection and response team.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.7

Plugin: Snowflake

Control ID: ef7fb7c92d78702851901c6f7ada36efd2ae6e513091f3d899fac3039b2d8d8e