Account and Security Flashcards

1
Q

Account Identifiers

A

Account identifiers uniquely identify a Snowflake account within an organization and throughout the global network of Snowflake-supported cloud platforms and cloud regions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The three components that determine Snowflake costs/usage

A

Storage
Virtual Warehouse (compute)
Cloud Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Storage (usage)

A

Usage for data storage is calculated on the daily average amount of data stored in the system for staged files and tables (historical, time-travel, clones and fail-safe)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Virtual Warehouses/Compute (usage)

A

Usage for virtual warehouses (compute) is calculated based on the number of Snowflake credits consumed during query execution, loading data, and other DML ops.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Cloud Services (usage)

A

Usage for cloud services is only charged if the daily consumption of the services exceeds 10% of the daily usage of compute resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Information Schema

A

The Snowflake Information Schema or Data Dictionary consists of a set of system-defined views and table functions that provide metadata information about the objects created in your account.

The Snowflake Information Schema is based on the SQL-92 ANSI Information Schema.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

MFA Enablement

A

MFA is enabled on a per-user basis, and users are not (currently) auto-enrolled in MFA; users must enroll themselves.

Any user can self-enroll through the web interface.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Snowflake MFA Recommendation

A

It is strongly recommended by Snowflake that all ACCOUNTADMIN users be required to use MFA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Disabling MFA for a particular user

A

ALTER USER SET MINS_TO_BYPASS_MFA=10;

ALTER USER SET DISABLE_MFA=TRUE;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DISABLE_MFA property

A

DISABLE_MFA is not a column in any Snowflake table or view.

When an account admin sets DISABLE_MFA to true, the value for the EXT_AUTHN_DUO property is set to FALSE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

MFA Caching

A

Using MFA Caching allows users to log back into Snowflake without having to use MFA again within a given timeframe. (4 hours)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

MFA Token Invalidation Criteria

A
  • The ALLOW_CLIENT_MFA_CACHING parameter is set to FALSE for the account
  • The method of authentication changes.
  • The authentication credentials change (i.e username/password)
  • The authentication credentials are not valid.
  • The cached token expires or is not cryptographically valid.
  • The account name associated with the cached token changes.

A cached MFA token is invalid if any of the above conditions are met.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Enabling MFA Caching

A

ALTER ACCOUNT SET ALLOW_CLIENT_MFA_CACHING = true;

An account admin must set the ALLOW_CLIENT_MFA_CACHING parameter to true for an account using the ALTER ACCOUNT command

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Encryption Key Management

A

Snowflake manages data encryption keys to protect customer data. This management occurs automatically without any customer intervention.

Customers can use the key management service in the cloud platform that hosts their Snowflake account to maintain their own additional encryption key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Tri-Secret Secure

A

The combination of a Snowflake-maintained key and a Customer-managed key creates a composite master key to protect the Snowflake data, called Tri-Secret Secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Encryption Standards for Snowflake Managed Keys

A

All customer data is encrypted by default using the latest security standards and best practices.
Snowflake uses AES 256-bit encryption with a hierarchical key model rooted in a hardware security module.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Rekeying

A

Keys are rotated on a regular basis by Snowflake, and data can be re-encrypted (“rekeyed”) on a regular basis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Hierarchical Key Model (wrapping)

A

The hierarchical key model is composed of several layers of keys in which each higher layer of keys (parent keys) encrypts the layer below (child keys). This is also referred to as “wrapping”.

The layers are as follows (in descending order):

- Root Key
- Account Master Keys
- Table Master Keys
- File Keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Key Rotation Threshold

A

All Snowflake-managed keys are auto-rotated when they are more than 30 days old.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Rotation Key Encryption

A

Active keys are “retired” and new keys are created. Retired keys are only used to decrypt data and is only available for accessing the data.
When a key is destroyed, it is no longer used for encryption or decryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Periodic Rekeying

A

While key rotation ensures that a key is transferred from its active state to a retired state, rekeying ensures that a key is transferred from its retired state to being destroyed.
When retired encryption keys (for a table) are older than 1 year, Snowflake will automatically create a new encryption key and re-encrypt all data previously protected by the retired key with the new key. This key will be used for the table data going forward until the cycle repeats itself.
This feature is only available on Enterprise Edition Accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Enable Periodic Rekeying

A

Account Admin users should ALTER ACCOUNT and the PERIODIC_DATA_REKEYING parameter

ALTER ACCOUNT SET PERIODIC_DATA_REKEYING = true;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Effects of Rekeying on Time Travel and Fail-safe

A

Time Travel and Fail-safe retention periods are not affected by rekeying.

Additional storage charges are associated with rekeying of data in Fail-safe. Snowflake customers are charged with additional storage for Fail-safe protection of data files that were rekeyed. For these files, 7 days of Fail-safe protection is charged.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Hardware Security Module (HSM)

A

Snowflake relies on one of several cloud-hosted security module services as a tamper-proof highly secure way to generate, store, and use the root keys of the key hierarchy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Benefits of HSM

A
  • The HSM ensures keys never leave the HSM and that all cryptographic operations are performed within the HSM.
  • All keys in the key hierarchy require the HSM to be unwrapped.
  • In addition to generating new keys when creating new accounts and tables, the HSM generates secure, random encryption keys during key rotation and rekeying.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

End-to-end encryption (E2EE)

A

End-to-end encryption (E2EE) is a method to secure data that prevents third parties from reading data while at-rest or in transit to and from Snowflake and to minimize the attack surface.

27
Q

Encryption Areas

A

While the data may not be encrypted in the Customer provided staging area, it will be encrypted as soon as it enters Snowflake.

28
Q

Client-side Encryption Protocol

A
  1. The customer creates a secret master key, which is shared with Snowflake.
  2. The client, which is provided by the cloud storage service, generates a random encryption key and encrypts the file before uploading it into cloud storage. The random encrypted key is then encrypted with the customer’s master key.
  3. Both the encrypted file and random encryption key are uploaded to the cloud storage service. The encrypted random key is stored with the file’s metadata.
29
Q

Ingesting Client-side Encrypted Data into Snowflake

A

– create encrypted stage
CREATE STAGE encrypted_customer_stage
URL=’s3://customer-bucket/data/’
CREDENTIALS=(aws_key_id=’ABCDEFGH’ aws_secret_key=’12345678’)ENCRYPTION=(master_key=’eSxX0jzYfIamtnBKOEOxq80Au6NbSgPH5r4BDDwOaO8=’);

30
Q

Network Policies

A

Network policies allow access restrictions to your account based on user IP address.
Effectively, a network policy enables you to create an IP white and or blacklist.

31
Q

CIDR Notation

A

Snowflake supports specifying ranges of IP addresses using Classless Inter-Domain Routing (i.e. CIDR) notation.
For example, 192.168.1.0/24 represents all IP addresses in the range of 192.168.1.0 to 192.168.1.255.

32
Q

Bypassing Network Policy

A

It is possible to temporarily bypass a network policy for a set number of minutes by configuring the user object property MINS_TO_BYPASS_NETWORK_POLICY, which can be viewed by executing DESCRIBE USER.

Only Snowflake can set the value for this object property. Please contact Snowflake Support to set a value for this property.

33
Q

Creating a Network Policy

A

CREATE NETWORK POLICY mypolicy1 ALLOWED_IP_LIST=(‘192.168.1.0/24’) BLOCKED_IP_LIST=(‘192.168.1.99’);

DESC NETWORK POLICY mypolicy1;

34
Q

Identify a Network Policy by Account

A

SHOW PARAMETERS LIKE ‘network_policy’ IN ACCOUNT;

35
Q

Identify a Network Policy by User

A

SHOW PARAMETERS LIKE ‘network_policy’ IN USER ;

36
Q

Access Control in Snowflake

A

Snowflake provides granular control over access to objects - who can access what objects, what operations can be performed on those objects, and who can create/alter access control policies.

37
Q

Access Control Models in Snowflake

A
  • Discretionary Access Control (DAC)

- Role-based Access Control (RBAC)

38
Q

Discretionary Access Control (DAC)

A

Each object has an owner, who can in turn grant access to that object.

39
Q

Role-based Access Control (RBAC)

A

Access privileges are assigned to roles, which are in turn assigned to users.

40
Q

Key objects within Access Control in Snowflake

A
  • Securable Object
  • Role
  • Privilege
  • User
41
Q

Securable Object

A

An entity to which access can be granted. Unless allowed by a grant, access will be denied.

42
Q

Role

A

An entity to which privileges can be granted. Roles are in turn assigned to users. Roles can also be assigned to other roles to create a role hierarchy.

43
Q

Privilege

A

A defined level of access to an object. Multiple privileges can be assigned to a role, and may be used to control the granularity of access granted.

44
Q

User

A

A user identity recognized by Snowflake.

45
Q

Object Ownership

A

To own an object means that a role has the OWNERSHIP privilege on the object. Each securable object is owned by a single role, which by default is the role used to create the object.

46
Q

Managed Access Schema

A

Unlike regular schemas, object owners cannot grant ownership to an object within a schema. Only the schema owner (someone with ownership rights to a schema) can grant privileges on a object within the schema.

47
Q

ORGADMIN

A

A separate system role that manages operations at the organization level, not included in the hierarchy system of roles.

48
Q

Role Hierarchy

A

Account Admin
Security Admin // Sys Admin
User Admin // Custom Roles
Public

49
Q

Federated Environment

A

In a federated environment, user authentication is separate from user access through the use of one or more external entities to provide independent authentication of user credentials.

50
Q

Federated Environment Components

A
  • Service Provider (SP)

- Identity Provider (IdP)

51
Q

Service Provider

A

In Snowflake, Snowflake serves as the service provider.

52
Q

Identity Provider

A

An external, independent entity responsible for maintaining user credentials/other profile information and authenticating users for SSO access to the service provider.

53
Q

Categories of Privilege

A

Global Privileges
Account Object Privileges
Schema Privileges
Schema Object Privileges

54
Q

Dynamic Data Masking

A

A column-level security feature that uses masking policies to selectively mask data at query run-time. This is data that was previously loaded in plain-text (unmasked).

55
Q

Dynamic Data Masking Configuration

A

Grant masking policy privileges to a custom role, grant the role to the right user, have that role define the masking policies and then apply these policies to the columns with sensitive data. After this is done queries that run on the sensitive data will be masked if the user running the query does not have access to see that data.

56
Q

Metadata and Usage Schemas

A

INFORMATION_SCHEMA
ACCOUNT_USAGE
READER_ACCOUNT_USAGE

57
Q

ACCOUNT_USAGE schema

A

Contains views and table functions that display object metadata and usage metrics for your account.

58
Q

Difference between ACCOUNT_USAGE and INFORMATION_SCHEMA

A

ACCOUNT_USAGE mirrors INFORMATION_SCHEMA except that the ACCOUNT_USAGE schema displays information on records/dropped objects, longer retention time for historical usage data, and latency information.

59
Q

READER_ACCOUNT_USAGE schema

A

This is basically just an ACCOUNT_USAGE schema but captures data for all one’s reader accounts (if one was a Secure Data Sharing provider)

60
Q

External Tokenization

A

Allows organizations to tokenize sensitive data before loading that data into Snowflake and dynamically detokenize the data at query runtime using masking policies and external functions.

61
Q

External Tokenization Requirements

A

External Functions

Enterprise Edition or higher

62
Q

How does External Tokenization work?

A

External Tokenization works when data is already encrypted BEFORE being loaded into Snowflake. Through the use of masking policies and external functions, Snowflake will dynamically unencrypt this data on a query-by-query basis only when permitted users are allowed to view this data (as permitted by the masking policy).

63
Q

-

A