- 2 Minutes to read
- 2 Minutes to read
About this document
This document provides the step-by-step procedure to onboard a Snowflake asset in SAFE.Important
SAFE integrates with Snowflake and onboards the Snowflake assets under the Cloud-SaaS Applications vertical. Onboarding a Snowflake account is a three-step process:
- Download the script from SAFE and generate connection details
- Enter and Save the connection details in SAFE
- Assess the Snowflake account and view results in SAFE.
To perform the assessment of a Snowflake asset, a user with the read-only role is required with MFA (Multi-factor Authentication) exempted for this user. Instead of MFA, this user can be restricted to connect only from the SAFE instance’s IP address. We recommend setting the permissions for this account to only have read access to security settings, and not any other data stored in Snowflake.
Network Policy in Snowflake
- To create a Network Policy in Snowflake, please refer to this Snowflake documentation here.
- In the Allowed IP Addresses, specify the SAFE IP address. Raise a service request to SAFE support to get online assistance with IP addresses during the process.
- To enforce the created Network Policy on the user, execute the below command:
alter user <username> set NETWORK_POLICY = '<policy name>';
- To check the Network Policy is successfully implemented, execute the below command:
show parameters like 'network_policy' in user <username>;
Onboard a Snowflake account in SAFE
Step 1: Download the script from SAFE and generate connection details
The below steps need to be performed only on the Snowflake Classic UI experience.
- Login to SAFE and navigate to SAFE Hooks.
- Click the Snowflake card.
- On the configuration page, click the Download Script button available under step 1.
- The system downloads a script on your system. This script performs the below-mentioned tasks:
- Creates SAFE read-only user.
- Creates a non-privileged table that can be accessed by the SAFE read-only user.
- Creates tasks that continuously fetch the configuration information that is required to validate the controls from the privileged tables, at specific intervals, and store it in the Non-privileged table.
- Go to your Snowflake account URL and log in with an “ACCOUNTADMIN” privilege.
- Click on the three dots options menu available at the top-right of the screen.
- Click the Load Script option and upload the script downloaded from SAFE.
- Mark the All Queries checkbox.
- Click the Run button.
- After running all the queries inside the loaded script, the system displays the connection details (username and password). Note down the username and password of the read-only user to use in Step 2.
The password for the least privileged (read-only) user will get updated every time you load the script. Hence make a note of the user's password and update it in SAFE to perform the assessment.
Step 2: Enter and save connection details in SAFE
- Navigate to the Snowflake configuration page in SAFE Hooks.
- Enter the connection details; Snowflake instance URL, Username, and Password generated in step 1.
- Click the Test Connection button.
- Once the connection is verified, click the Save button. You have now successfully onboarded the Snowflake account in SAFE.
Step 3: Assess the Snowflake account and view results in SAFE
- On the Snowflake configuration page in SAFE Hooks, click the Sync Now button to assess the onboarded Snowflake account.
- The account, once saved, will get assessed once per day as per the scheduled scan time. This is set to a pre-set time in 24 Hrs.
- To view the result:
- Go to the Risk Scenario page, and click the Group Risk tab.
- Click the Cloud SaaS Applications Risk from the list.
- Scroll down and click the Attack Surface view.
- Here you can see the Snowflake asset.
- Click the Snowflake asset to view the controls and their status.
Was this article helpful?