Detections
Analytics

1.6 Ensure that service accounts use key pair authentication

Information

Service account is an identity used by scripts, jobs, applications, pipelines, etc. to talk to Snowflake. It is also sometimes known as "application user", "service principal", "system account", or "daemon user".

On the platform level Snowflake does not differentiate between Snowflake users created for and used by humans and Snowflake users created for and used by services.

Password-based authentication used by humans can be augmented by a second factor (MFA), e.g. a hardware token, or a security code pushed to a mobile device. Services and automation cannot be easily configured to authenticate with a second factor. Instead, for such use cases, Snowflake supports using key pair authentication as a more secure alternative to password-based authentication.

Note that password-based authentication for a service account can be enabled along with a key-based authentication. To ensure that only key-based authentication is enabled for a service account, the PASSWORD parameter for that Snowflake user must be set to null

Password-based authentication has a set of disadvantages that increase probability of a security incident, especially when used without MFA:

 - Passwords created by humans are generally more predictable and less random than keys generated by a computer. Consequently, passwords are easier to brute force both online (against a live service) or offline (against a hashed password database).
 - Passwords are usually transmitted over the network and can be leaked when the transmission channel is insecure or when an application is accidentally misconfigured to log passwords.
 - Passwords are easier to leak by writing them down on a sticky note attached to the back of a keyboard.
 - It is easier to trick (phish) a user into revealing their password to an unauthorized party.

Using key-based authentication for service accounts helps with mitigating the aforementioned issues.

Solution

Programmatically:

For every non-compliant service account:

 -

Follow the

Configuring Key Pair Authentication

instructions to generate the key <rsa_public_key>.

 -

In a Snowsight worksheet or through the SnowSQL CLI, run the following command:

ALTER USER <service_account_name> SET RSA_PUBLIC_KEY='<rsa_public_key>';
 -

Update configuration of the automation and services that rely on the service account to use key-based authentication. This is going to be specific to the service in question.

 -

Disable password-based authentication:

ALTER USER <service_account_name> SET PASSWORD = null;

Impact:

Snowflake authentication for existing automation and services that use service accounts with password-based authentication will be broken if corresponding configuration is not updated before service accounts passwords are set to null.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Snowflake

Control ID: 941c4fb866be205eb17e9682ce5503bb0033725020a887a780fb99b809d28114