1.8 Ensure that users who did not log in for 90 days are disabled

Information

Access grants tend to accumulate over time unless explicitly set to expire. Regularly revoking unused access grants and disabling inactive user accounts is a good countermeasure to this dynamic.

If credentials of an inactive user account are leaked or stolen, it may take longer to discover the compromise.

In Snowflake an user account can be disabled by users with the ACCOUNTADMIN role.

Disabling inactive user accounts supports the principle of least privilege and generally reduces attack surface.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

For each user <user_name> that has not logged in in the last 90 days, run the following query to disable their account:

ALTER USER <user_name> SET DISABLED = true;

If there is a need for re-enabling an account, a user must contact one of the Snowflake account administrative users.

Impact:

There is a chance of disabling users or service accounts that are used consistently, but very infrequently, e.g. once or twice a year. Such users should be tagged and filtered out in the audit query.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(3), CSCv7|16.9

Plugin: Snowflake

Control ID: 1dd36dd0b8cb51b7c092f5c0818d7d4ba114e077c84471469a3090a9f2ce2a24