Information
Network policies allow restricting access to a Snowflake account based on source IP addresses. A network policy can be configured either on the account level, for all users of the account, or on the user level, for a specific user. In the presence of both account-level and user-level policies the latter takes precedence.
A network policy can also be configured on the SCIM and Snowflake OAuth security integrations to restrict the list of source IP addresses allowed when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If network policy is not set on the security integration of the aforementioned types, the account-level network policy, if any, is used.
Creation and application of unauthorized network policies can weaken access control through expansion of the allowed source IP addresses, or lead to a denial of service through blocklisting legitimate source IP addresses. Unauthorized changes and deletions of existing network policies can lead to the same undesirable results.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Programmatically:
In a Snowsight worksheet or through the SnowSQL CLI:
-
Configure your security monitoring solution to alert on changes to network policies.
select end_time, query_type, query_text, user_name, role_namefrom snowflake.account_usage.query_historywhere execution_status = 'SUCCESS' and ( query_type in ('CREATE_NETWORK_POLICY', 'ALTER_NETWORK_POLICY', 'DROP_NETWORK_POLICY') or (query_text ilike '%set%network_policy%' or query_text ilike '%unset%network_policy%'))order by end_time desc;
Impact:
If network policy creation, update, deletion and object association events happen frequently, monitoring and alerting on this event may generate undue load on the detection and response team.