Snowflake Compliance Checks

The Snowflake plugin is meant to connect to Snowflake REST API endpoints that can be found in the Snowflake products. The plugin connects to Snowflake targets, fetches data from REST API endpoints, and evaluates the output for specific expressions.

Scan Requirements

Credentials

The plugin requires the cloud services scanning credentials of Snowflake API that include the following:

• Username—The required username for an account on the Snowflake target with a 2048-bit RSA key pair assigned.
• Account Identifier—The required Snowflake account identifier (for more information, see https://docs.snowflake.com/en/user-guide/admin-account-identifier).
• Role—The optional Snowflake role. If you provide the roll, the audit runs SQL statements using the specified role. The default value is ACCOUNTADMIN. If you omit the role, the SQL statement runs using the user DEFAULT_ROLE (for more information, see https://docs.snowflake.com/en/sql-reference/sql/alter-user).
• Warehouse—The optional Snowflake warehouse. If you provide the warehouse, the audit runs SQL statements using the specified warehouse. The default value is COMPUTE_WH. If you omit the warehouse, the SQL statement runs using your DEFAULT_WAREHOUSE (for more information, see https://docs.snowflake.com/en/user-guide/warehouses).
• Private Key—The required PEM formatted 2048-bit RSA private key to use when connecting to the target. For instructions on how to generate the key and assign it to a user, see https://docs.snowflake.com/en/user-guide/key-pair-auth.
• Passphrase—The optional passphrase for the private key.

Permissions

A user with the ACCOUNTADMIN role is required.

Checks

All Snowflake REST API compliance checks must be bracketed with the check_type encapsulation and the Snowflake designation. This is required to differentiate .audit files intended specifically for Snowflake REST API from other types of compliance audits.

<check_type:"Snowflake">
* audit content
</check_type>

Review the following topics on specific elements in the audit language.

• Snowflake Audit Containers
• Snowflake Audit Items
• Snowflake Comments
• Snowflake SQL_POLICY
• Snowflake KB_VALUE