Account and Security Flashcards
Account Identifiers
Account identifiers uniquely identify a Snowflake account within an organization and throughout the global network of Snowflake-supported cloud platforms and cloud regions.
The three components that determine Snowflake costs/usage
Storage
Virtual Warehouse (compute)
Cloud Services
Data Storage (usage)
Usage for data storage is calculated on the daily average amount of data stored in the system for staged files and tables (historical, time-travel, clones and fail-safe)
Virtual Warehouses/Compute (usage)
Usage for virtual warehouses (compute) is calculated based on the number of Snowflake credits consumed during query execution, loading data, and other DML ops.
Cloud Services (usage)
Usage for cloud services is only charged if the daily consumption of the services exceeds 10% of the daily usage of compute resources.
Information Schema
The Snowflake Information Schema or Data Dictionary consists of a set of system-defined views and table functions that provide metadata information about the objects created in your account.
The Snowflake Information Schema is based on the SQL-92 ANSI Information Schema.
MFA Enablement
MFA is enabled on a per-user basis, and users are not (currently) auto-enrolled in MFA; users must enroll themselves.
Any user can self-enroll through the web interface.
Snowflake MFA Recommendation
It is strongly recommended by Snowflake that all ACCOUNTADMIN users be required to use MFA.
Disabling MFA for a particular user
ALTER USER SET MINS_TO_BYPASS_MFA=10;
ALTER USER SET DISABLE_MFA=TRUE;
DISABLE_MFA property
DISABLE_MFA is not a column in any Snowflake table or view.
When an account admin sets DISABLE_MFA to true, the value for the EXT_AUTHN_DUO property is set to FALSE.
MFA Caching
Using MFA Caching allows users to log back into Snowflake without having to use MFA again within a given timeframe. (4 hours)
MFA Token Invalidation Criteria
- The ALLOW_CLIENT_MFA_CACHING parameter is set to FALSE for the account
- The method of authentication changes.
- The authentication credentials change (i.e username/password)
- The authentication credentials are not valid.
- The cached token expires or is not cryptographically valid.
- The account name associated with the cached token changes.
A cached MFA token is invalid if any of the above conditions are met.
Enabling MFA Caching
ALTER ACCOUNT SET ALLOW_CLIENT_MFA_CACHING = true;
An account admin must set the ALLOW_CLIENT_MFA_CACHING parameter to true for an account using the ALTER ACCOUNT command
Encryption Key Management
Snowflake manages data encryption keys to protect customer data. This management occurs automatically without any customer intervention.
Customers can use the key management service in the cloud platform that hosts their Snowflake account to maintain their own additional encryption key.
Tri-Secret Secure
The combination of a Snowflake-maintained key and a Customer-managed key creates a composite master key to protect the Snowflake data, called Tri-Secret Secure.
Encryption Standards for Snowflake Managed Keys
All customer data is encrypted by default using the latest security standards and best practices.
Snowflake uses AES 256-bit encryption with a hierarchical key model rooted in a hardware security module.
Rekeying
Keys are rotated on a regular basis by Snowflake, and data can be re-encrypted (“rekeyed”) on a regular basis.
Hierarchical Key Model (wrapping)
The hierarchical key model is composed of several layers of keys in which each higher layer of keys (parent keys) encrypts the layer below (child keys). This is also referred to as “wrapping”.
The layers are as follows (in descending order):
- Root Key - Account Master Keys - Table Master Keys - File Keys
Key Rotation Threshold
All Snowflake-managed keys are auto-rotated when they are more than 30 days old.
Rotation Key Encryption
Active keys are “retired” and new keys are created. Retired keys are only used to decrypt data and is only available for accessing the data.
When a key is destroyed, it is no longer used for encryption or decryption.
Periodic Rekeying
While key rotation ensures that a key is transferred from its active state to a retired state, rekeying ensures that a key is transferred from its retired state to being destroyed.
When retired encryption keys (for a table) are older than 1 year, Snowflake will automatically create a new encryption key and re-encrypt all data previously protected by the retired key with the new key. This key will be used for the table data going forward until the cycle repeats itself.
This feature is only available on Enterprise Edition Accounts.
Enable Periodic Rekeying
Account Admin users should ALTER ACCOUNT and the PERIODIC_DATA_REKEYING parameter
ALTER ACCOUNT SET PERIODIC_DATA_REKEYING = true;
Effects of Rekeying on Time Travel and Fail-safe
Time Travel and Fail-safe retention periods are not affected by rekeying.
Additional storage charges are associated with rekeying of data in Fail-safe. Snowflake customers are charged with additional storage for Fail-safe protection of data files that were rekeyed. For these files, 7 days of Fail-safe protection is charged.
Hardware Security Module (HSM)
Snowflake relies on one of several cloud-hosted security module services as a tamper-proof highly secure way to generate, store, and use the root keys of the key hierarchy.
Benefits of HSM
- The HSM ensures keys never leave the HSM and that all cryptographic operations are performed within the HSM.
- All keys in the key hierarchy require the HSM to be unwrapped.
- In addition to generating new keys when creating new accounts and tables, the HSM generates secure, random encryption keys during key rotation and rekeying.