1.11 Ensure that all users granted the ACCOUNTADMIN role have an email address assigned

Information

Every Snowflake user can be assigned an email address. The email addresses are then used by Snowflake features like

notification integration

,

resource monitor

and

support cases

to deliver email notifications to Snowflake users. In trial Snowflake accounts these email addresses are used for password reset functionality.

The email addresses assigned to ACCOUNTADMIN users are used by Snowflake to notify administrators about important events related to their accounts. For example, ACCOUNTADMIN users are notified about impending expiration of SAML2 certificates or SCIM access tokens.

If users with the ACCOUNTADMIN role are not assigned working email addresses that are being monitored and if SAML2 certificate used in SSO integration is not proactively renewed, expiration of SAML2 certificate may break the SSO authentication flow. Similarly, uncaught expiration of SCIM access token may break the SCIM integration.

Additionally, emails assigned to ACCOUNTADMIN users can be used by Snowflake Support to contact account administrators in urgent situations.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

-

For every ACCOUNTADMIN user <username> that does not have email assigned run the following command to assign it:

ALTER USER <username> SET EMAIL = <email_address>;

Impact:

None.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2

Plugin: Snowflake

Control ID: f030e6deb93022dc4a8c81688dfdafea263fee9ea0a25044a0536bb24a3b6633