1.3 Ensure that Snowflake password is unset for SSO users

Information

Ensure that Snowflake password is unset for SSO users.

Allowing users to sign in with Snowflake passwords in the presence of a configured third-party identity provider SSO may undermine mandatory security controls configured on the SSO and degrade the security posture of the account. For example, the SSO sign-in flow may be configured to require multi-factor authentication (MFA), whereas the Snowflake password sign-in flow may not.

Note :

- This benchmark does not preclude configuration of

key pair authentication

for SSO users. Key pair authentication may be necessary for users to interact with Snowflake programmatically or through third party tools.
- To mitigate the risk of users not being able to sign-in due to SSO provider outage, ensure that at least one SSO break-glass user exists with Snowflake password reset privileges for account users. This break-glass user should be able to sign in using a Snowflake native password (coupled with MFA) or a key pair.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Programmatically:

For each SSO user <username> with a password, run the following command to set password to null :

ALTER USER <username>
SET PASSWORD = NULL;

Impact:

Users will not be able to sign into their Snowflake accounts if SSO sign-in flow breaks, for example due to SSO provider outage.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)

Plugin: Snowflake

Control ID: e73c70f74fd2686781b7c846281cf686b2a76a036f95943407152e0fe0526a9c