4.1 Ensure yearly rekeying is enabled for a Snowflake account

Information

All Snowflake customer data is encrypted by default using the latest security standards and best practices. Snowflake uses strong AES 256-bit encryption with a hierarchical key model rooted in a hardware security module.

All Snowflake-managed keys are automatically rotated when they are more than 30 days old. Furthermore, data can be automatically re-encrypted ("rekeyed") on a yearly basis. Data encryption and key rotation is entirely transparent and requires no configuration or management.

Key rotation transitions an active encryption key to a retired state. Practically this means transitioning of the active encryption key from being used for encrypting new data and decrypting data encrypted with that key to only decrypting data encrypted with that key.

Rekeying transitions a retired encryption key to being destroyed. Practically this means re-encryption of the data encrypted by a retired key with a new key and destroying the disposing of the retired key.

Rekeying constrains the total duration in which a key is used for recipient usage, following NIST recommendations. Furthermore, when rekeying data, Snowflake can increase encryption key sizes and utilize better encryption algorithms that may be standardized since the previous key generation was created.

Rekeying, therefore, ensures that all customer data, new and old, is encrypted with the latest security technology.

Solution

Programmatically:

Set parameter value to true :

ALTER ACCOUNT
SET PERIODIC_DATA_REKEYING=true;

Impact:

None.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: Snowflake

Control ID: 2efe5e976a4bd553e0b98164658ac316c4d1dbd374a84738d14f5160a21ce0bd