One of the easiest ways a bad actor could steal data from your Snowflake Data Cloud account is to leverage external stages to copy the data to their own cloud storage, such as S3. Of course, this actor would need to gain access to your Snowflake account, but you can limit the risk even in that case by taking a few precautions.
In this blog, we’ll show you how to tighten security on your Snowflake account and highlight some of the free tooling we’ve built from the phData Toolkit to address security concerns in Snowflake.Â
Note: Many security settings are important for Snowflake; this document focuses specifically on the risk of data exfiltration. Additionally, our Advisor Tool can be used to audit these settings, and our Elastic Operations team can help enhance the overall security posture of your data platform.Â
Prevent Access
Nothing works better than preventing access to bad actors in the first place. There are many factors to this, but among the most critical are leveraging SSO with MFA and robust security policies, along with ensuring a sufficiently strict NETWORK_POLICY is applied at the account level to all users.
ALTER ACCOUNT SET NETWORK_POLICY = ...;
Note: The phData Provision Tool can ensure these configurations and the ones recommended below are set and stay set across all of your Snowflake accounts, leveraging auditable infrastructure as code.
Prevent Unloading To Inline URLs
ALTER ACCOUNT SET PREVENT_UNLOAD_TO_INLINE_URL = true;
This configuration prevents users from unloading data directly to inline URLs, which can be a significant security risk. Inline URLs, unlike controlled storage destinations, may not have the same level of security and can expose data to potential interception or unauthorized access.Â
Additionally, they could contain access settings directly in the statement or URL. Enabling this setting ensures that data unloading operations are restricted to secure, authenticated storage locations.
Require Secure Storage Integrations
ALTER ACCOUNT SET REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_CREATION = true;
ALTER ACCOUNT SET REQUIRE_STORAGE_INTEGRATION_FOR_STAGE_OPERATION = true;
This configuration mandates using storage integrations when creating external stages, ensuring that data is transferred and stored in a secure and controlled environment. Storage integrations provide a layer of security by managing and centralizing storage credentials rather than embedding them in stage definitions.Â
This approach not only enhances security by abstracting access details away from the end users but also streamlines credential management and ensures adherence to organizational policies and compliance standards.
Audit Access
Part of why requiring storage integrations (shown above) is so essential to prevent data exfiltration is that creating a storage integration by default requires ACCOUNTADMIN access in Snowflake. This is the highest privilege available and the privilege that the least number of users should have access to.Â
For that reason, it is important to regularly audit who has access to the ACCOUNTADMIN Role and the CREATE STORAGE INTEGRATION privilege.
SELECT *
FROM snowflake.account_usage.grants_to_users
WHERE role = 'ACCOUNTADMIN'
AND deleted_on IS NULL;
SELECT * FROM snowflake.account_usage.grants_to_roles
WHERE name = 'ACCOUNTADMIN'
AND deleted_on IS NULL;
SELECT * FROM snowflake.account_usage.grants_to_roles
WHERE privilege = 'CREATE INTEGRATION'
AND deleted_on IS NULL;
Note: Due to Snowflake’s powerful role hierarchy, auditing access can get complicated with queries. The phData Access Tool can make visualizing and auditing access easy.Â
Conclusion
Taking extra steps to safeguard your Snowflake account from bad actors is essential to ensure your data is protected. We recommend reevaluating your security strategy and data governance standards frequently to ensure optimal protection. We hope the tips covered in this blog help your organization mitigate the risk of Snowflake data exfiltration to external cloud storage.
If you need more Snowflake security advice, have a question, or are curious about any of the free tools discussed in this blog, reach out to the Snowflake experts at phData!
