Information
The System for Cross-domain Identity Management (
SCIM
) is an open specification designed to help facilitate the automated management of user identities and groups (i.e. roles) in cloud applications using RESTful APIs.
Snowflake supports SCIM 2.0 integration with Okta, Microsoft Azure AD and custom identity providers. Users and groups from the identity provider can be provisioned into Snowflake, which functions as the service provider.
SCIM access token is a bearer token used by SCIM clients to authenticate to Snowflake SCIM server.
SCIM access tokens generated without proper authorization may be used for configuring rogue SCIM integrations. Such SCIM integrations can then be used for provisioning rogue users that through existing roles are granted unauthorized access to Snowflake data and other objects.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Programmatically:
In a Snowsight worksheet or through the SnowSQL CLI:
-
Configure your security monitoring solution to alert on SCIM token creation. The following query can be run periodically.
select end_time, query_type, query_text, user_name, role_namefrom snowflake.account_usage.query_historywhere execution_status = 'SUCCESS' and query_type = 'SELECT' and regexp_instr(query_text, 'system\\$generate_scim_access_token\\s*\\(', 1, 1, 0, 'i') > 0order by end_time desc;
Impact:
If SCIM access token creation events happen frequently, monitoring and alerting on this event may generate undue load on the detection and response team. That said, a SCIM access token is valid for 6 months and there is usually only one SCIM integration per account. Frequent SCIM access token creation would likely be an unusual event.