Information
By default, ACCOUNTADMIN is the most powerful role in a Snowflake account. Users with the SECURITYADMIN role grant can trivially escalate their privileges to that of ACCOUNTADMIN
Following the principle of least privilege that prescribes limiting user's privileges to those that are strictly required to do their jobs, the ACCOUNTADMIN and SECURITYADMIN roles should be assigned to a limited number of designated users (e.g., less than 10, but at least 2 to ensure that access can be recovered if one ACCOUNTAMIN user is having login difficulties).
While it is important to apply the principle of least privilege to all access grants, it is especially important to apply it to highly privileged roles. Examples of such roles are ACCOUNTADMIN SECURITYADMIN and their equivalents. The fewer users with full administrator privileges, the smaller the attack surface and the probability of a full account compromise.
Solution
Programmatically:
In a Snowsight worksheet or through the SnowSQL CLI:
-
For each user <username> that does not need all the privileges a role provides to fulfill their job responsibilities, revoke the ACCOUNTADMIN or all equivalently privileged roles.
REVOKE ROLE ACCOUNTADMIN FROM USER <username>
-
For each user <username> that does not need all the privileges a role provides to fulfill their job responsibilities, revoke the SECURITYADMIN or all equivalently privileged roles.
REVOKE ROLE SECURITYADMIN FROM USER <username>
Impact:
Users who lose the ACCOUNTADMIN or SECURITYADMIN role grant and are not granted a more scoped down role appropriate to their job function may lose certain privileges required to do their job.