Information
A session begins when a user connects to Snowflake and authenticates successfully using a Snowflake programmatic client, Snowsight, or the classic web interface.
A session is maintained indefinitely with continued user activity. After a period of inactivity in the session, known as the idle session timeout, the user must authenticate to Snowflake again. Session policies can be used to modify the idle session timeout period. The idle session timeout has a maximum value of four hours.
Tightening up the idle session timeout reduces sensitive data exposure risk when users forget to sign out of Snowflake and an unauthorized person gains access to their device.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Programmatically:
In the Snowsight UI or from the SnowSQL CLI:
-
Create the session policy if it does not exist yet. Execute the following commands to create and set the idle session timeout for highly privileged users in your Snowflake account:
CREATE SESSION POLICY <session_policy> SESSION_IDLE_TIMEOUT_MINS = 15, SESSION_UI_IDLE_TIMEOUT_MINS = 15;
-
Set session policy for every highly privileged user.
ALTER USER <username> SET SESSION POLICY <session_policy>;
Impact:
Too short idle session timeout may result in poor user experience due to users continuously being logged out of their accounts.