1.15 Ensure that Snowflake tasks do not run with the ACCOUNTADMIN or SECURITYADMIN role privileges

Information

The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN Neither of these roles should be used for running Snowflake tasks. A task should be running using a custom role containing only those privileges that are necessary for successful execution of the task.

The principle of least privilege requires that every identity, including service identities, is only given privileges that are necessary to complete its job.

If a threat actor finds a way to influence or hijack the task execution flow, they may be able to exploit privileges given to the task. In the case of an ACCOUNTADMIN or SECURITYADMIN roles, that may lead to a full account takeover. Additionally, a mistake in the task implementation coupled with excessive privileges may lead to a reliability incident, e.g. accidentally dropping database objects.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

-

For each task <task_name> that runs with ACCOUNTADMIN or SECURITYADMIN privileges, create a new role <task_specific_role> and assign it to the tasks:

CREATE ROLE <task_specific_role>;GRANT OWNERSHIP ON TASK <task_name> TO ROLE <task_specific_role>;
-

After creating a new role and granting privileges to each task, ensure all privileges on the tasks are revoked from the ACCOUNTADMIN and SECURITYADMIN roles:

REVOKE ALL PRIVILEGES ON TASK <task_name> FROM ROLE ACCOUNTADMIN;REVOKE ALL PRIVILEGES ON TASK <task_name> FROM ROLE SECURITYADMIN;

Impact:

Existing stored procedures that are owned by the ACCOUNTADMIN or SECURITYADMIN roles and run with their privileges will need to be updated to use a task specific custom role. If that role does not have all the privileges required by the task, the task execution may fail.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Snowflake

Control ID: 3a927774792de3edd0d1b4de95583a08301eacddb30e67c9fe57fd04b1dbd180