1.7 Ensure authentication key pairs are rotated every 180 days

Information

Snowflake supports using RSA key pair authentication as an alternative to password authentication and as a primary way to authenticate service accounts.

Authentication key pair rotation is a process of replacing an existing authentication key pair with a freshly generated key pair.

Snowflake supports two active authentication key pairs to allow for uninterrupted key rotation. Rotate and replace your authentication key pairs based on the expiration schedule at least once every 180 days.

Periodic authentication key pair rotation mitigates the threat of compromised or leaked keys. It reduces the window of opportunity during which a given key is valid and can be used by a threat actor.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

-

For every Snowflake service account whose authentication key pair age is >= 180 days, generate a new RSA authentication keypair.

-

Update either RSA_PUBLIC_KEY and RSA_PUBLIC_KEY_2 properties of a user, whichever is currently unset.

ALTER USER <username> SET RSA_PUBLIC_KEY_2='JERUEHtcve...';
-

Identify all services and automation that authenticate using existing keypair and update them to authenticate using freshly generated keypair.

-

Unset either RSA_PUBLIC_KEY or RSA_PUBLIC_KEY_2 properties of a user, whichever is assigned the old public key.

ALTER USER <username> UNSET RSA_PUBLIC_KEY;

For more information, see

Configuring Key Pair Rotation

.

Impact:

Existing automation and services that rely on key pair authentication may break if they are not updated to use a new authentication key before the old key is inactivated.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Snowflake

Control ID: 53380cf026e2498d22a039c1eb04314103715d833f34e531ef427092a72437a4