- 2 Minutes to read
- 2 Minutes to read
About this document
This document provides the step-by-step procedure to onboard a Snowflake asset in SAFE.
- This document only applies to onboarding a single Snowflake account in SAFE.
- To onboard multiple Salesforce accounts in SAFE, raise a service request to SAFE support to assist you.
SAFE integrates with Snowflake and onboards the Snowflake assets under the Cloud-SaaS Applications vertical. Onboarding a Snowflake account is a three-step process:
- Download the script from SAFE and generate connection details
- Enter and Save the connection details in SAFE
- Assess the Snowflake account and view results in SAFE.
- To create a Network Policy in Snowflake, please refer to this Snowflake documentation here.
- In the Allowed IP Addresses, specify the SAFE IP address. Raise a service request to SAFE support to get online assistance with IP addresses during the process.
- To enforce the created Network Policy on the user, execute the below command:
alter user <username> set NETWORK_POLICY = '<policy name>';
- To check the Network Policy is successfully implemented, execute the below command:
show parameters like 'network_policy' in user <username>;
Onboard a Snowflake account in SAFE
Step 1: Download the script from SAFE and generate connection details
- Login to SAFE and navigate to SAFE Hooks.
- Click the Snowflake card.
- On the configuration page, click the Download Script button available under step 1.
- The system downloads a script on your system. This script performs the below-mentioned tasks:
- Creates SAFE read-only user.
- Creates a non-privileged table that can be accessed by the SAFE read-only user.
- Creates tasks that continuously fetch the configuration information that is required to validate the controls from the privileged tables, at specific intervals, and store it in the Non-privileged table.
- Go to your Snowflake account URL and log in with an “ACCOUNTADMIN” privilege.
- Click on the three dots options menu available at the top-right of the screen.
- Click the Load Script option and upload the script downloaded from SAFE.
- Mark the All Queries checkbox.
- Click the Run button.
- After running all the queries inside the loaded script, the system displays the connection details (username and password). Note down the username and password of the read-only user to use in Step 2.
The password for the least privileged (read-only) user will get updated every time you load the script. Hence make a note of the user's password and update it in SAFE to perform the assessment.
Step 2: Enter and save connection details in SAFE
- Navigate to the Snowflake configuration page in SAFE Hooks.
- Enter the connection details; Snowflake instance URL, Username, and Password generated in step 1.
- Click the Test Connection button.
- Once the connection is verified, click the Save button. You have now successfully onboarded the Snowflake account in SAFE.
Step 3: Assess the Snowflake account and view results in SAFE
- On the Snowflake configuration page in SAFE Hooks, click the Sync Now button to assess the onboarded Snowflake account.
- The account, once saved, will get assessed once per day as per the scheduled scan time. This is set to a pre-set time in 24 Hrs.
- To view the result:
- Go to the Risk Scenario page, and click the Group Risk tab.
- Click the Cloud SaaS Applications Risk from the list.
- Scroll down and click the Attack Surface view.
- Here you can see the Snowflake asset.
- Click the Snowflake asset to view the controls and their status.