1.13 Ensure that the ACCOUNTADMIN or SECURITYADMIN role is not granted to any custom role

Information

The principle of least privilege requires that every identity is only given privileges that are necessary to complete its tasks.

The ACCOUNTADMIN system role is the most powerful role in a Snowflake account and is intended for performing initial setup and managing account-level objects. SECURITYADMIN role can trivially escalate their privileges to that of ACCOUNTADMIN Neither of these roles should be used for performing daily non-administrative tasks in a Snowflake account.

Granting ACCOUNTADMIN role to any custom role effectively elevates privileges of that role to the ACCOUNTADMIN role privileges. Roles that include the ACCOUNTADMIN role can then be mistakenly used in access grants that do not require ACCOUNTADMIN privileges thus violating the principle of least privilege and increasing the attack surface. The same logic applies to the SECURITYADMIN role.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI, find all custom roles that are granted ACCOUNTADMIN role and revoke that grant.

REVOKE SECURITYADMIN ON ACCOUNT FROM ROLE <custom_role>;
REVOKE ACCOUNTADMIN ON ACCOUNT FROM ROLE <custom_role>;

Impact:

Users who lose the ACCOUNTADMIN or SECURITYADMIN privileges granted to them indirectly through a custom role may not be able to perform their job duties until they regain privileges they legitimately require through a more scoped down role.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Snowflake

Control ID: 49f66d446782e038de8f927e01052f4c74b4a41fd999d07eb52867056db4e41e