4.8 Ensure that the PREVENT_UNLOAD_TO_INLINE_URL account parameter is set to true

Information

Prevent ad hoc data unload operations to external cloud storage by enabling the PREVENT_UNLOAD_TO_INLINE_URL account parameter.

Direct data unloading can be employed by threat actors to exfiltrate sensitive data from Snowflake to a supported external storage location of their choice. A well-intended employee with a legitimate business task can unknowingly unload data to publicly available storage locations and unintentionally leak it. Prevention of the direct data unloading reduces risk of data exfiltration and leakage.

Setting the PREVENT_UNLOAD_TO_INLINE_URL account parameter to true will prevent ad hoc data unload operations to external cloud storage locations (i.e. through COPY INTO <location> statements that specify the cloud storage URL and access settings directly in the statement).

Solution

Programmatically:

Set the PREVENT_UNLOAD_TO_INLINE_URL on the account level to true :

ALTER ACCOUNT
SET PREVENT_UNLOAD_TO_INLINE_URL=true;

NOTE : To avoid disruption of existing workflow relying on direct unloading data to external storage locations, all such workflows should be identified and migrated to unloading data to external stages referencing storage integrations.

Impact:

Setting the PREVENT_UNLOAD_TO_INLINE_URL account level parameter to true can break existing manual and automated flows relying on direct unloading data to external storage locations.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|AU-11, 800-53|MP-2, 800-53|SI-12, CSCv7|14.6

Plugin: Snowflake

Control ID: d7f0ff429db2f54b3f12baefaaf96d562a3185e0758e65d0c49074342c7804de