Information
External stage is a Snowflake object used for loading data from external storage locations into Snowflake tables and unloading data from Snowflake tables into external storage locations. Currently supported external storage locations are Amazon S3 buckets, Google Cloud Storage buckets and Microsoft Azure containers.
Storage integration is a Snowflake object that encapsulates external storage authentication configuration as well as an optional set of allowed or blocked storage locations. When configuring an external stage, a storage integration can be referenced in lieu of storage service credentials.
Using storage integration removes the need to supply credentials when creating external stages or when loading or unloading data. This reduces the risk of those credentials being leaked and data compromised.
Additionally, security administrators creating storage integration can constrain CSP storage locations allowed to be used as destinations in external stages. This further reduces the risk of data being leaked or compromised.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Programmatically:
-
For each external stage, create a storage integration <my_storage_integration> :
CREATE STORAGE INTEGRATION <my_storage_integration> TYPE = EXTERNAL_STAGE STORAGE_PROVIDER = 'S3' ENABLED = TRUE STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::001234567890:role/myrole';
-
Update the external stage <my_external_stage> to use the new storage integration:
ALTER STAGE <my_external_stage> SET STORAGE_INTEGRATION = <my_storage_integration>;
Impact:
None.