Information
Security integration object is used to configure SSO and SCIM integrations.
Creation of an unauthorized security integration, in case of SCIM, can lead to creation of rogue Snowflake users. Incase of SSO, it can lead to hijacking of existing Snowflake users through rogue authentication flow.
Update or deletion of an existing security integration can lead to weakening security posture of that integration or denial of service, e.g. when users cannot sign into Snowflake accounts due to broken SSO authentication flow.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Programmatically:
In a Snowsight worksheet or through the SnowSQL CLI:
-
Configure your security monitoring solution to alert on creation, update and deletion of security integrations.
select end_time, query_type, query_text, user_name, role_namefrom snowflake.account_usage.query_historywhere execution_status = 'SUCCESS' and query_type in ('CREATE', 'ALTER', 'DROP') and query_text ilike '%security integration%'order by end_time desc;
Impact:
If security integration creation, update and deletion events happen frequently, monitoring and alerting on this event may generate undue load on the detection and response team.