Detections
Analytics

3.2 Ensure that user-level network policies have been configured for service accounts

Information

Network policies allow restricting access to a Snowflake account based on source IP addresses. A network policy can be configured either on the account level, for all users of the account, or on the user level, for a specific user. In the presence of both account-level and user-level policies, the user-level policies take precedence.

A service account is a Snowflake user whose credentials are used by scripts, jobs, applications, pipelines, etc. to talk to Snowflake. Other names include "application user", "service principal", "system account", or "daemon user". Service account is not a Snowflake specific term.

Network policies help mitigate the threat of leaked user credentials. If network policies are not configured limiting source IP addresses, leaked Snowflake credentials can be used from anywhere in the world.

Service accounts often have direct access to raw sensitive data not appropriate for most human users. Service accounts are also generally deployed in production environments with source IP address ranges distinct from the IP address ranges used by the human users. To decrease the risk of inappropriate data access with service account credentials, user-level network policies can be applied to service accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL ALI:

 - Create a network policy. Replace <policy_name> with the name you want to give the policy, and customize the list of allowed and blocked IP addresses: CREATE NETWORK POLICY <policy_name> ALLOWED_IP_LIST=('192.168.1.0/24');
 - For each service account user <service_account_name> set the desired network policy <policy_name> : ALTER USER <service_account_name> SET NETWORK_POLICY = <policy_name>;

For more information, see the documentation on

creating network policies

.

Note:

 - When a network policy includes values for both ALLOWED_IP_LIST and BLOCKED_IP_LIST Snowflake applies the blocked list first.
 - Do not add 0.0.0.0/0 to BLOCKED_IP_LIST Because Snowflake applies the blocked list first, this would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST Snowflake automatically blocks all IP addresses not included in the allowed list.

Impact:

If a network policy is misconfigured to disallow IP addresses from which service accounts access Snowflake, it can cause a reliability impact.

If a user with permissions to configure network policies on the account accidentally locks themselves and everybody else with such permission out, they will need to contact Snowflake customer support to restore access to their account.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Snowflake

Control ID: 6662cd9828c6ae8cb9d91bbdbb4a78631f6ec252cdea647b6688d30275e1614b