2.1 Ensure monitoring and alerting exist for ACCOUNTADMIN and SECURITYADMIN role grants

Information

By default, ACCOUNTADMIN is the most powerful role in a Snowflake account and users with SECURITYADMIN role grant can trivially escalate their privileges to that of ACCOUNTADMIN

Following the principle of least privilege that prescribes limiting user's privileges to those that are strictly required to do their jobs, the ACCOUNTADMIN and SECURITYADMIN roles should be assigned to a limited number of designated users. Any new ACCOUNTADMIN and SECURITYADMIN role grants should be scrutinized.

Every new ACCOUNTADMIN and SECURITYADMIN role assignment increases the attack surface of a Snowflake environment. It may also indicate unauthorized privilege escalation performed by a threat actor.

If monitoring for ACCOUNTADMIN role assignments is not configured, inappropriate or unauthorized ACCOUNTADMIN role access grants may be missed. The latter can lead to eventual security posture degradation or late detection of an ongoing security incident. The same logic applies to the SECURITYADMIN role.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

-

Configure your monitoring task to alert on ACCOUNTADMIN and SECURITYADMIN role grants. You can find those grants with the following query:

SELECT *FROM SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLESWHERE NAME IN ('ACCOUNTADMIN', 'SECURITYADMIN');

Impact:

If the principle of least privilege is not strictly applied and ACCOUNTADMIN and SECURITYADMIN role assignments happen frequently, monitoring and alerting on this event may generate undue load on the detection and response team.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.7

Plugin: Snowflake

Control ID: b42a19f8d091e0fb8219225635f96589bbc1ee29a8a5875725da0221364ec384