Authored by: Rajiv Gupta
What Is Snowflake Trust Center?
The Snowflake Trust Center is a comprehensive framework designed to assess and monitor security compliance within your Snowflake account. It leverages metadata-based rules derived from the CIS Snowflake Benchmarks document, ensuring that your Snowflake environment adheres to industry best practices. Snowflake Trust Center provides a systematic approach to security compliance, offering insights into potential vulnerabilities and actionable steps for improvement. By enabling this framework into your Snowflake environment, you can enhance your data security and maintain alignment with industry standards.
Key Features of the Snowflake Trust Center
1. Metadata-Based Framework:
The Trust Center operates as a metadata-driven system. It executes predefined rules against your Snowflake account, evaluating security configurations and practices. Each rule corresponds to a specific security check, covering aspects such as access controls, encryption, authentication, and data protection.
2. Severity-Based Alerts:
When a violation is detected, the Trust Center raises alerts based on severity levels:
Low: Minor issues that require attention.
Medium: More significant issues that need prompt resolution.
High: Critical issues that demand immediate action.
Critical: Severe vulnerabilities that pose a significant risk.
These alerts help prioritize remediation efforts.
3. Serverless Compute:
The Trust Center leverages serverless computing resources to execute its rules. This ensures efficient and scalable processing without the need for manual intervention.
4. Check Points and Recommendations:
Currently, the Trust Center evaluates 39 checkpoints, as detailed in the CIS benchmark documents. For each violation, it provides actionable recommendations on how to address the issue. Additionally, it generates a summary list of objects (e.g., tables, views, roles) that violate the rules.
5. Focus on Metadata:
The Trust Center relies on Snowflake metadata to assess security measures. It checks whether requested setups (e.g., user roles, access policies, encryption keys) exist and are correctly configured. However, it does not validate the effectiveness of the security measures in achieving their intended goals.
6. No Guarantee of Effective Implementation:
It’s essential to recognize that the absence of a violation does not guarantee optimal security implementation.
While the Trust Center ensures compliance with specified rules, it does not comprehensively evaluate the overall security posture. Organizations must still consider context-specific factors and industry-specific requirements.
How To Enable Trust Center?
Trust center is available to all accounts. To use this feature, you just need capacity, contract, or a paid account. You can find trust center under Monitoring > Trust Center
Trust center has 2 tabs:
1. Finding Tab — This tab takes care of all outcomes of security scan. Finding tab also builds a predefined graph to showcase the CIS Benchmark violation daily with separate color coding per severity.To get access to this tab you need to either have ACCOUNTADMIN role privilege or do have access to below application role:
SNOWFLAKE.TRUST_CENTER_VIEWER or SNOWFLAKE.TRUST_CENTER_ADMIN
2. Scanner Packages—This tab enables the scanner service. You must enable this scanner package to have it run every 24 hours (default setup).
You can always change the schedule. The moment you click on the Enable button, you will be asked to provide a schedule.
How Can I Enable Trust Center For a Custom Role?
Below is the code sample which can help you set up the custom role with required privilege.
USE ROLE ACCOUNTADMIN;
–This is how you can setup trust center admin custom role.
CREATE ROLE SECURITY_ADMIN;
GRANT APPLICATION ROLE
SNOWFLAKE.TRUST_CENTER_ADMIN TO ROLE
SECURITY_ADMIN;
–This is how you can setup trust center viewer custom role.
CREATE ROLE SECURITY_VIEWER;
GRANT APPLICATION ROLE
SNOWFLAKE.TRUST_CENTER_VIEWER TO ROLE
SECURITY_VIEWER;
GRANT ROLE SECURITY_ADMIN TO USER RAJIV_ADMIN;
GRANT ROLE SECURITY_VIEWER TO USER ROB
How To Monitor Cost For Trust Center?
As mentioned above, Trust Center rules are executed using serverless compute. The Virtual Warehouse, which we use at Trust Center, is used to display the results in the UI, not to execute the rules.
You can view this serverless cost using the below query using ACCOUNTADMIN role only.
SELECT SUM(CREDITS_USED)
FROM snowflake.account_usage.serverless_task_history
WHERE
DATABASE_NAME = ‘SNOWFLAKE’ AND
SCHEMA_NAME = TRUST_CENTER_STATE’ AND
START_TIME BETWEEN ‘2024-05-23 00:00:00.000 -0700’ AND
‘2024-05-22 11:59:59.00;
