Account Access & Security

Question 1

Role-based Access Control (RBAC)

Answer 1

an access control framework in which access privileges are assigned to roles and in turn assigned to users.

Question 2

Discretionary Access Control (DAC)

Answer 2

Snowflake combines RBAC with Discretionary Access Control (DAC) in which each object has an owner, who can in turn grant access to that object.

Question 3

What command shows the role of the securable object?

Answer 3

SHOW <object></object>

Question 4

Owning Role

Answer 4

• Has all privileges on the object by default
• Can grant or revoke privileges on the object to other roles
• Transfer ownership to another role
• Share control of an object if the owning role is shared

Question 5

What privilege access is granted to roles?

Answer 5

• Ability to create a Warehouse
• Ability to list tables contained in a schema
• Ability to add data to a table

Question 6

What objects are securable?

Answer 6

Question 7

Unless allowed by a grant, access to a securable object will be __________.

Answer 7

denied

Question 8

Role

Answer 8

an entity to which privileges on securable objects can be granted or revoked

Question 9

User

Answer 9

• Roles are assigned to users to give them the authorization to perform actions
• A user can have multiple roles and switch between them within a Snowflake session
• Roles can be granted to other roles creating a role hierarchy
• Privileges of child roles are inherited by parent roles

Question 10

System-defined Roles type

Answer 10

• ORGADMIN
• ACCOUNTADMIN
• SECURITYADMIN
• SYSADMIN
• USERADMIN
• PUBLIC

Question 11

ORGADMIN

Answer 11

• Manages operations at organization level
• Can create account in an organization
• Can view all accounts in an organization
• Can view usage information across an organization

Question 12

ACCOUNTADMIN

Answer 12

• Top-level and most powerful role for an account
• Encapsulates SYSADMIN & SECURITYADMIN
• Responsible for configuring account-level parameters
• View and operate on all objects in an account
• View and manage Snowflake billing and credit data
• Stop any running SQL statements

Question 13

SYSADMIN

Answer 13

• Can create warehouses, databases, schemas and other objects in an account

Question 14

SECURITYADMIN

Answer 14

• Manage grants globally via the MANAGE GRANTS privilege
• Create, monitor and manage users and roles

Question 15

USERADMIN

Answer 15

• User and Role management via CREATE USER and CREATE ROLE security privileges
• Can create users and roles in an account

Question 16

PUBLIC

Answer 16

• Automatically granted to every user and every role in an account
• Can own securable objects, however objects owned by PUBLIC role are available to every other user and role in an account

Question 17

Customer Role

Answer 17

• allows you to create a role with custom and fine-grained security privileges defined
• allow administrators working with the system-defined roles to exercise the security principle of least privilege
• can be created by the SECURITYADMIN & USERADMIN roles as well as by any role to which the CREATE ROLE privilege has been granted
• it is recommend to create a hierarch of custom roles with the top-most custom role assigned to the SYSADMIN role
• if custom roles are not assigned to the SYSADMIN role, system admins will not be able to manage the objects owned by the custom role

Question 18

Privilege

Answer 18

A security privilege defines a level of access to an object

For each object there is a set of security privileges that can be granted on it

Question 19

What are the 4 categories of security privileges?

Answer 19

1. Global privileges
2. Privileges for account objects
3. Privileges for schemas
4. Privileges for schema objects

Global Privileges–>Account Objects–>Schemas–>Schema Objects

Question 20

Privileges are managed using the ___________ and __________ commands.

Answer 20

GRANT; REVOKE

GRANT USAGE ON DATABASE MY_DB TO ROLE MY_ROLE;
REVOKE USAGE ON DATABASE MY_DB TO ROLE MY_ROLE;

Question 21

Statement to grant future privileges for objects not yet created.

Answer 21

GRANT SELECT ON FUTURE TABLES IN SCHEMA MY_SCHEMA TO ROLE MY_ROLE;

Question 22

User Authentication

Answer 22

the process of authenticating with Snowflake via user provided username and password credentials

the default method of authentication

Question 23

Users with the ______________ role can create additional Snowflake users, which makes use of the ______________ privilege.

Answer 23

USERADMIN; CREATE USER

CREATE USER USER1
PASSWORD=’ABC123’
DEFAULT_ROLE = MYROLE
MUST_CHANGE_PASSWORD = TRUE;

Question 24

Password Requirements

Answer 24

• can be any case-sensitive string up to 256 characters
• must be at least 8 characters long
• must contain at least 1 digit
• must contain at least 1 uppercase letter and 1 lowercase letter

Question 25

Multi-factor Authentication (MFA)

Answer 25

an additional layer of security, requiring the user to prove their identity not only with a password but with an additional piece of information (or factor)

Question 26

MFA in Snowflake is powered by a service called __________.

Answer 26

Duo Security

Question 27

MFA is enabled on a ______________ basis & only via the _______.

Answer 27

per-user; UI

Question 28

Snowflake recommends that all users with the _______________ role be required to use ____________.

Answer 28

ACCOUNTADMIN; MFA

Question 29

Multi-Authentication Flow

Answer 29

Question 30

MINS_TO_BYPASS_MFA

Answer 30

ALTER USER USER1 SET
MINS_TO_BYPASS_MFA=10;

Specifies the number of minutes to temporarily disable MFA for the user so that they can log in.

Question 31

DISABLE_MFA

Answer 31

ALTER USER USER1 SET
DISABLE_MFA=TRUE;

Disables MFA for the user, effectively cancelling their enrollment. To use MFA again, the user must re-enroll.

Question 32

ALLOWS_CLIENT_MFA_CACHING

Answer 32

ALTER USER USER1 SET
ALLOWS_CLIENT_MFA_CACHING=TRUE;

MFA token caching reduces the number of prompts that must be acknowledged while the connecting and authenticating to Snowflake.

Question 33

Federated Authentication

Answer 33

• enables users to connect to Snowflake using secure SSO (single sign-on)
• Snowflake can delegate authentication responsibility to an SAML 2.0 compliant external identity provider (IdP) with native support for Okta and ADFS IdPs.

Question 34

IdP

Answer 34

An independent service responsible for creating and maintain user credentials as well as authenticating users for SSO access to Snowflake.

Question 35

In a federated environment Snowflake is referred to as a _______________.

Answer 35

Service Provider (SP)

Question 36

Federated Authentication Login Flow

Answer 36

Question 37

Key Pair Authentication Steps

Answer 37

1. Generate Key-Pair using OpenSSL
2. Assign Public Key to Snowflake User
3. Configure Snowflake Client
4. Configure Kye-Pair Rotation

Question 38

Oauth

Answer 38

• Snowflake supports the OAuth 2.0 protocol.
• OAuth is an open-standard protocol that allows supported clients authorized acess to Snowflake without sharing or stronger user login credentials
• Snowflake offers two OAuth pathways; Snowflake OAuth and External OAuth.

Question 39

SCIM

Answer 39

• System for Cross-domain Identity Management (SCIM) can be used to manage users and groups (Snowflake roles) in cloud applications using RESTful APIs.

Question 40

Network Policies

Answer 40

• provide the user with the ability to allow or deny access to their Snowflake account based on a single IP address or list of addresses.
• composed of an allowed IP range and optionally a blocked IP range. Blocked IP ranges are applied first.
• currently support only IPv4 addresses
• use CIDR notation to express an IP subnet range
• can be applied on the account level or to individual users
• if a user is associated to both an account-level and user-level network policy, the user-level policy takes precedence

Question 41

Only _ Network Policy can be associated with an account at any one time.

Answer 41

1

Question 42

________________ or ______________ system roles can apply policies. Or custom role with the ____________________ global privilege.

Answer 42

SECURITYADMIN, ACCOUNTADMIN, ATTACH POLICY

Question 43

Network policies can be applied to __________ or ______________.

Answer 43

ACCOUNT; USER

Question 44

Data Encryption States

Answer 44

• Encryption At Rest
• Encryption In Transit

Question 45

Encryption At Rest Security Protocol

Answer 45

AES-256 strong encryption

Question 46

Encryption In Transit Security Protocol

Answer 46

HTTPS TLS 1.2

Question 47

E2EE Encryption Flows - Internal

Answer 47

User –PUT–> Internal Stage – COPY INTO <table>–>Table

Question 48

E2EE Encryption Flows - Internal

Answer 48

User–Cloud Utils–>External Stage–COPY INTO<table>–>Table

Question 49

Hierarchical Key Model

Answer 49

Root Key–>Account Master Keys–>Table Master Keys–>File Keys

Question 50

Key Rotation

Answer 50

Key rotation is the practice of transparently replacing existing account and table encryption keys every 30 days with a new key.

Question 51

Re-Keying

Answer 51

• Once retired key exceeds 1 year, Snowflake automatically creates a new encryption key and re-encrypts all data previously protected by the retired key using the new key.
• Enterprise edition feature
• Comes at a charge
• Requires ACCOUNTADMIN role
• ALTER ACCOUNT SET PERIODIC_DATA_REKEYING = TRUE;

Question 52

Tri-secret Secure and Customer Managed Keys

Answer 52

KMS is Key Management Service
HSM is Microsoft Azure Key Vault

Question 53

Dynamic Data Masking

Answer 53

Sensitive data in plain text is loaded into Snowflake, and it is dynamically masked at the time of query for unauthorized users.

Question 54

Masking Policies STATEMENT

Answer 54

CREATE MASKING POLICY EMAIL_MASK AS (VAL STRING) RETURNS STRING->
CASE
WHEN CURRENT_ROLE() IN (‘SUPPORT’) THEN VAL
ELSE ‘***’
END;

Question 55

Masking Policies

Answer 55

1. Data masking policies are schema-level objects, like tables & views.
2. Creating and applying data masking policies can be done independently of object owners
3. Masking policies can be nested, existing in tables and views that reference those tables.
4. A masking policy is applied no matter where the column is referenced in a SQL statement.
5. A data masking policy can be applied either when the object is created or after the object is created.

Question 56

External Tokenization

Answer 56

Tokenized data is loaded into Snowflake, which is detokenized at query run-time for authorized users via masking policies that call an external tokenization service using external functions.

Question 57

Row Access Policies

Answer 57

Row access policies enable a security team to restrict which rows are returned in a query.

Question 58

CREATE ROW ACCESS POLICY Statement

Answer 58

CREATE OR REPLACE ROW ACCESS POLICY RAP_ID AS (ACC_ID VARCHAR) RETURNS BOOLEAN->
CASE
WHEN ‘ADMIN’=CURRENT_ROLE() THEN TRUE
ELSE
END;

Question 59

Row Access Policies similarities with Column Masking Policies

Answer 59

• Schema level object
• Segregation of duties
• Creation and applying workflow
• Nesting policies

Question 60

Row Access Policies Important Points

Answer 60

• Adding a masking policy to a column fails if the column is referenced by a row access policy
• Row access policies are evaluated before data masking policies.

Question 61

Secure views

Answer 61

• are a type of view designed to limit access to the underlying tables or internal structural details of a view
• both standard and materialized views can be designated as secure
• created by adding the keyword SECURE in the view DDL
• definition of a secure view is only available to the object owner
• secure views bypass query optimization which may inadvertently expose data in the underlying table

Question 62

Account Usage

Answer 62

• Snowflake proves a shared read-only databased called SNOWFLAKE, imported using a Share object called ACCOUNT_USAGE
• It is comprised of 6 schemas, which contain many views providing fine-grained usage metrics at the account and object level
• By default, only users with the ACCOUNTADMIN role can access the SNOWFLAKE database
• Account usage views record dropped objects, not just those that are currently active.
• There is a latency between an event and when that event is recorded in an account usage view
• Certain account usage views provide historical usage metrics. The retention period for these views is 1 year.

Question 63

Each data created in an account automatically includes a built-in, read-only schema named _________________ based on the ______________ Information Schema

Answer 63

INFORMATION_SCHEMA; SQL-92 ANSI

Question 64

Each INFORMATION_SCHEMA contains:

Answer 64

• views displaying metadata for all objects contained in the database
• views displaying metadata for account-level objects (non-database objects such as roles, warehouses and databases)
• Table functions displaying metadata for historical and usage data across an account

Question 65

The output of a view or table function depends on the:

Answer 65

privileges granted to the user’s current role

Question 66

Account Usage vs Information Schema

Answer 66