Account and Security

Question 1

Account Identifiers

Answer 1

Account identifiers uniquely identify a Snowflake account within an organization and throughout the global network of Snowflake-supported cloud platforms and cloud regions.

Question 2

The three components that determine Snowflake costs/usage

Answer 2

Storage
Virtual Warehouse (compute)
Cloud Services

Question 3

Data Storage (usage)

Answer 3

Usage for data storage is calculated on the daily average amount of data stored in the system for staged files and tables (historical, time-travel, clones and fail-safe)

Question 4

Virtual Warehouses/Compute (usage)

Answer 4

Usage for virtual warehouses (compute) is calculated based on the number of Snowflake credits consumed during query execution, loading data, and other DML ops.

Question 5

Cloud Services (usage)

Answer 5

Usage for cloud services is only charged if the daily consumption of the services exceeds 10% of the daily usage of compute resources.

Question 6

Information Schema

Answer 6

The Snowflake Information Schema or Data Dictionary consists of a set of system-defined views and table functions that provide metadata information about the objects created in your account.

The Snowflake Information Schema is based on the SQL-92 ANSI Information Schema.

Question 7

MFA Enablement

Answer 7

MFA is enabled on a per-user basis, and users are not (currently) auto-enrolled in MFA; users must enroll themselves.

Any user can self-enroll through the web interface.

Question 8

Snowflake MFA Recommendation

Answer 8

It is strongly recommended by Snowflake that all ACCOUNTADMIN users be required to use MFA.

Question 9

Disabling MFA for a particular user

Answer 9

ALTER USER SET MINS_TO_BYPASS_MFA=10;

ALTER USER SET DISABLE_MFA=TRUE;

Question 10

DISABLE_MFA property

Answer 10

DISABLE_MFA is not a column in any Snowflake table or view.

When an account admin sets DISABLE_MFA to true, the value for the EXT_AUTHN_DUO property is set to FALSE.

Question 11

MFA Caching

Answer 11

Using MFA Caching allows users to log back into Snowflake without having to use MFA again within a given timeframe. (4 hours)

Question 12

MFA Token Invalidation Criteria

Answer 12

• The ALLOW_CLIENT_MFA_CACHING parameter is set to FALSE for the account
• The method of authentication changes.
• The authentication credentials change (i.e username/password)
• The authentication credentials are not valid.
• The cached token expires or is not cryptographically valid.
• The account name associated with the cached token changes.

A cached MFA token is invalid if any of the above conditions are met.

Question 13

Enabling MFA Caching

Answer 13

ALTER ACCOUNT SET ALLOW_CLIENT_MFA_CACHING = true;

An account admin must set the ALLOW_CLIENT_MFA_CACHING parameter to true for an account using the ALTER ACCOUNT command

Question 14

Encryption Key Management

Answer 14

Snowflake manages data encryption keys to protect customer data. This management occurs automatically without any customer intervention.

Customers can use the key management service in the cloud platform that hosts their Snowflake account to maintain their own additional encryption key.

Question 15

Tri-Secret Secure

Answer 15

The combination of a Snowflake-maintained key and a Customer-managed key creates a composite master key to protect the Snowflake data, called Tri-Secret Secure.

Question 16

Encryption Standards for Snowflake Managed Keys

Answer 16

All customer data is encrypted by default using the latest security standards and best practices.
Snowflake uses AES 256-bit encryption with a hierarchical key model rooted in a hardware security module.

Question 17

Rekeying

Answer 17

Keys are rotated on a regular basis by Snowflake, and data can be re-encrypted (“rekeyed”) on a regular basis.

Question 18

Hierarchical Key Model (wrapping)

Answer 18

The hierarchical key model is composed of several layers of keys in which each higher layer of keys (parent keys) encrypts the layer below (child keys). This is also referred to as “wrapping”.

The layers are as follows (in descending order):

- Root Key
- Account Master Keys
- Table Master Keys
- File Keys

Question 19

Key Rotation Threshold

Answer 19

All Snowflake-managed keys are auto-rotated when they are more than 30 days old.

Question 20

Rotation Key Encryption

Answer 20

Active keys are “retired” and new keys are created. Retired keys are only used to decrypt data and is only available for accessing the data.
When a key is destroyed, it is no longer used for encryption or decryption.

Question 21

Periodic Rekeying

Answer 21

While key rotation ensures that a key is transferred from its active state to a retired state, rekeying ensures that a key is transferred from its retired state to being destroyed.
When retired encryption keys (for a table) are older than 1 year, Snowflake will automatically create a new encryption key and re-encrypt all data previously protected by the retired key with the new key. This key will be used for the table data going forward until the cycle repeats itself.
This feature is only available on Enterprise Edition Accounts.

Question 22

Enable Periodic Rekeying

Answer 22

Account Admin users should ALTER ACCOUNT and the PERIODIC_DATA_REKEYING parameter

ALTER ACCOUNT SET PERIODIC_DATA_REKEYING = true;

Question 23

Effects of Rekeying on Time Travel and Fail-safe

Answer 23

Time Travel and Fail-safe retention periods are not affected by rekeying.

Additional storage charges are associated with rekeying of data in Fail-safe. Snowflake customers are charged with additional storage for Fail-safe protection of data files that were rekeyed. For these files, 7 days of Fail-safe protection is charged.

Question 24

Hardware Security Module (HSM)

Answer 24

Snowflake relies on one of several cloud-hosted security module services as a tamper-proof highly secure way to generate, store, and use the root keys of the key hierarchy.

Question 25

Benefits of HSM

Answer 25

• The HSM ensures keys never leave the HSM and that all cryptographic operations are performed within the HSM.
• All keys in the key hierarchy require the HSM to be unwrapped.
• In addition to generating new keys when creating new accounts and tables, the HSM generates secure, random encryption keys during key rotation and rekeying.

Question 26

End-to-end encryption (E2EE)

Answer 26

End-to-end encryption (E2EE) is a method to secure data that prevents third parties from reading data while at-rest or in transit to and from Snowflake and to minimize the attack surface.

Question 27

Encryption Areas

Answer 27

While the data may not be encrypted in the Customer provided staging area, it will be encrypted as soon as it enters Snowflake.

Question 28

Client-side Encryption Protocol

Answer 28

1. The customer creates a secret master key, which is shared with Snowflake.
2. The client, which is provided by the cloud storage service, generates a random encryption key and encrypts the file before uploading it into cloud storage. The random encrypted key is then encrypted with the customer’s master key.
3. Both the encrypted file and random encryption key are uploaded to the cloud storage service. The encrypted random key is stored with the file’s metadata.

Question 29

Ingesting Client-side Encrypted Data into Snowflake

Answer 29

– create encrypted stage
CREATE STAGE encrypted_customer_stage
URL=’s3://customer-bucket/data/’
CREDENTIALS=(aws_key_id=’ABCDEFGH’ aws_secret_key=’12345678’)ENCRYPTION=(master_key=’eSxX0jzYfIamtnBKOEOxq80Au6NbSgPH5r4BDDwOaO8=’);

Question 30

Network Policies

Answer 30

Network policies allow access restrictions to your account based on user IP address.
Effectively, a network policy enables you to create an IP white and or blacklist.

Question 31

CIDR Notation

Answer 31

Snowflake supports specifying ranges of IP addresses using Classless Inter-Domain Routing (i.e. CIDR) notation.
For example, 192.168.1.0/24 represents all IP addresses in the range of 192.168.1.0 to 192.168.1.255.

Question 32

Bypassing Network Policy

Answer 32

It is possible to temporarily bypass a network policy for a set number of minutes by configuring the user object property MINS_TO_BYPASS_NETWORK_POLICY, which can be viewed by executing DESCRIBE USER.

Only Snowflake can set the value for this object property. Please contact Snowflake Support to set a value for this property.

Question 33

Creating a Network Policy

Answer 33

CREATE NETWORK POLICY mypolicy1 ALLOWED_IP_LIST=(‘192.168.1.0/24’) BLOCKED_IP_LIST=(‘192.168.1.99’);

DESC NETWORK POLICY mypolicy1;

Question 34

Identify a Network Policy by Account

Answer 34

SHOW PARAMETERS LIKE ‘network_policy’ IN ACCOUNT;

Question 35

Identify a Network Policy by User

Answer 35

SHOW PARAMETERS LIKE ‘network_policy’ IN USER ;

Question 36

Access Control in Snowflake

Answer 36

Snowflake provides granular control over access to objects - who can access what objects, what operations can be performed on those objects, and who can create/alter access control policies.

Question 37

Access Control Models in Snowflake

Answer 37

• Discretionary Access Control (DAC)

- Role-based Access Control (RBAC)

Question 38

Discretionary Access Control (DAC)

Answer 38

Each object has an owner, who can in turn grant access to that object.

Question 39

Role-based Access Control (RBAC)

Answer 39

Access privileges are assigned to roles, which are in turn assigned to users.

Question 40

Key objects within Access Control in Snowflake

Answer 40

• Securable Object
• Role
• Privilege
• User

Question 41

Securable Object

Answer 41

An entity to which access can be granted. Unless allowed by a grant, access will be denied.

Question 42

Role

Answer 42

An entity to which privileges can be granted. Roles are in turn assigned to users. Roles can also be assigned to other roles to create a role hierarchy.

Question 43

Privilege

Answer 43

A defined level of access to an object. Multiple privileges can be assigned to a role, and may be used to control the granularity of access granted.

Question 44

User

Answer 44

A user identity recognized by Snowflake.

Question 45

Object Ownership

Answer 45

To own an object means that a role has the OWNERSHIP privilege on the object. Each securable object is owned by a single role, which by default is the role used to create the object.

Question 46

Managed Access Schema

Answer 46

Unlike regular schemas, object owners cannot grant ownership to an object within a schema. Only the schema owner (someone with ownership rights to a schema) can grant privileges on a object within the schema.

Question 47

ORGADMIN

Answer 47

A separate system role that manages operations at the organization level, not included in the hierarchy system of roles.

Question 48

Role Hierarchy

Answer 48

Account Admin
Security Admin // Sys Admin
User Admin // Custom Roles
Public

Question 49

Federated Environment

Answer 49

In a federated environment, user authentication is separate from user access through the use of one or more external entities to provide independent authentication of user credentials.

Question 50

Federated Environment Components

Answer 50

• Service Provider (SP)

- Identity Provider (IdP)

Question 51

Service Provider

Answer 51

In Snowflake, Snowflake serves as the service provider.

Question 52

Identity Provider

Answer 52

An external, independent entity responsible for maintaining user credentials/other profile information and authenticating users for SSO access to the service provider.

Question 53

Categories of Privilege

Answer 53

Global Privileges
Account Object Privileges
Schema Privileges
Schema Object Privileges

Question 54

Dynamic Data Masking

Answer 54

A column-level security feature that uses masking policies to selectively mask data at query run-time. This is data that was previously loaded in plain-text (unmasked).

Question 55

Dynamic Data Masking Configuration

Answer 55

Grant masking policy privileges to a custom role, grant the role to the right user, have that role define the masking policies and then apply these policies to the columns with sensitive data. After this is done queries that run on the sensitive data will be masked if the user running the query does not have access to see that data.

Question 56

Metadata and Usage Schemas

Answer 56

INFORMATION_SCHEMA
ACCOUNT_USAGE
READER_ACCOUNT_USAGE

Question 57

ACCOUNT_USAGE schema

Answer 57

Contains views and table functions that display object metadata and usage metrics for your account.

Question 58

Difference between ACCOUNT_USAGE and INFORMATION_SCHEMA

Answer 58

ACCOUNT_USAGE mirrors INFORMATION_SCHEMA except that the ACCOUNT_USAGE schema displays information on records/dropped objects, longer retention time for historical usage data, and latency information.

Question 59

READER_ACCOUNT_USAGE schema

Answer 59

This is basically just an ACCOUNT_USAGE schema but captures data for all one’s reader accounts (if one was a Secure Data Sharing provider)

Question 60

External Tokenization

Answer 60

Allows organizations to tokenize sensitive data before loading that data into Snowflake and dynamically detokenize the data at query runtime using masking policies and external functions.

Question 61

External Tokenization Requirements

Answer 61

External Functions

Enterprise Edition or higher

Question 62

How does External Tokenization work?

Answer 62

External Tokenization works when data is already encrypted BEFORE being loaded into Snowflake. Through the use of masking policies and external functions, Snowflake will dynamically unencrypt this data on a query-by-query basis only when permitted users are allowed to view this data (as permitted by the masking policy).

Question 63

-