Detections
Analytics

3.1 Ensure that an account-level network policy has been configured to only allow access from trusted IP addresses

Information

Network policies allow restricting access to a Snowflake account based on source IP addresses. A network policy can be configured either on the account level, for all users of the account, or on the user level, for a specific user. In the presence of both account-level and user-level policies, the user-level policies take precedence.

A network policy can also be configured on the SCIM and Snowflake OAuth security integrations to restrict the list of source IP addresses allowed when exchanging an authorization code for an access or refresh token and when using a refresh token to obtain a new access token. If network policy is not set on the security integration of the aforementioned types, the account-level network policy is set, if used.

Network policies help mitigate the threat of leaked user credentials. If an account network policy is not configured limiting source IP addresses, leaked Snowflake credentials can be used from anywhere in the world.

Network policies are especially useful when there is a heightened risk of leaking credentials. For example, if instead of using SSO, users authenticate to Snowflake using Snowflake passwords.

Network policy set on the account level can serve as a coarse-grained baseline for the majority of the Snowflake users and can be further tightened on the specific highly privileged user, service account, and security integration level.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the UI:

 - Go to

https://app.snowflake.com/

and sign into your Snowflake account.
 - On the left side navigation bar, click on

Admin

.
 - Under

Admin

, click on

Security

.
 - Under the

Network Policies

tab, click the + Network Policy button on the top right side.
 - Enter a Policy Name and list of Allowed IP Addresses
 - Click Create network policy
 - Find your policy in the list of network policies and click Activate policy This will set the network policy at the account level.

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

 -

Create a network policy. Replace <policy_name> with the name you want to give the policy, and customize the list of allowed and blocked IP addresses:

CREATE NETWORK POLICY <policy_name> ALLOWED_IP_LIST=('192.168.1.0/24');
 -

Set the network policy at the account level:

ALTER ACCOUNT SET NETWORK_POLICY = <policy_name>;

For more information, see the documentation on

creating network policies

.

Note:

 -

When a network policy includes values for both ALLOWED_IP_LIST and BLOCKED_IP_LIST Snowflake applies the blocked list first.

 -

Do not add 0.0.0.0/0 to BLOCKED_IP_LIST Because Snowflake applies the blocked list first, this would block your own access. Additionally, in order to block all IP addresses except a select list, you only need to add IP addresses to ALLOWED_IP_LIST Snowflake automatically blocks all IP addresses not included in the allowed list.

 -

You can create and set a network policy on a security integration to configure allowed IP addresses from your IdP used to exchange an authorization code for an access or refresh token and when using a refresh token to obtain a new access token.

Impact:

If a network policy is misconfigured to disallow IP addresses from which users usually access Snowflake, their productivity may be impacted.

If a network policy is misconfigured to disallow IP addresses from which services and automation usually access Snowflake, reliability of those services and automation may be impacted.

If a network policy is misconfigured to disallow IP addresses used by one of the Snowflake security integrations that support network policies, those integrations will be broken.

If a user with permissions to configure network policies on the account accidentally locks themselves and everybody else with such permission out, they will need to contact Snowflake customer support to restore access to their account.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, 800-53|SC-7(5), CSCv7|9.4

Plugin: Snowflake

Control ID: 486c8ecb965f87da83f742c23b24ab2180502fa0ff4082d9b66f3eeababeece9