Snowflake Trust Center Scanner Package
This page contains the documentation related to the Trust Center Native App policies
Overview
The TLX Role Reports scanner package is a comprehensive security and compliance monitoring solution designed for Snowflake data platforms. This package automatically scans your Snowflake account to identify potential security vulnerabilities, compliance gaps, and access control issues that could put your organization's data at risk.
Think of it as your automated security auditor that runs continuously in the background, examining user roles, data access patterns, and security configurations to help you maintain a secure and compliant data environment.
What This Package Does
The TLX Role Reports scanner package performs automated security assessments across four critical areas:
Unused Role Detection - Identifies roles that have been assigned but aren't being actively used
Sensitive Data Protection - Finds sensitive data columns that lack proper masking policies
External Access Monitoring - Tracks which roles can access external storage systems
Privilege Management - Monitors users with high-level system roles
Each scanner runs independently and provides detailed reports with severity ratings, remediation guidance, and specific entities that need attention. The package integrates seamlessly with Snowflake's Trust Center to provide a unified view of your security posture.
Understanding Severity Levels
All scanners in this package use a common severity rating system based on the number of at-risk entities found. The severity is automatically calculated and helps prioritize which issues need immediate attention:
LOW: Less than 15 at-risk entities
Indicates a relatively small number of issues that should be addressed as part of regular maintenance
MEDIUM: 15-49 at-risk entities
Suggests a moderate security concern that warrants attention in the near term
HIGH: 50-500 at-risk entities
Represents a significant security risk that should be prioritized for remediation
CRITICAL: More than 500 at-risk entities
Indicates a widespread security issue requiring immediate action and potentially a comprehensive remediation plan
The severity level helps you understand the scale of the issue and prioritize your response efforts accordingly.
Scanner Details
1. Detect Unused Roles By Users
What It Does: This scanner identifies users who have been assigned critical roles (like ACCOUNTADMIN, SECURITYADMIN, USERADMIN, or SYSADMIN) but haven't actually used those roles to execute any queries. By default, it flags roles that have been inactive for at least 90 days.
Why It Matters: When users have powerful roles assigned but never use them, you're essentially leaving "keys to the kingdom" lying around. These unused roles create security risks because:
They expand your attack surface - if a user account is compromised, unused roles provide additional privileges that attackers could exploit
They violate the principle of least privilege - users should only have access to what they actually need
They create compliance and audit challenges - auditors question why users have permissions they don't use
They contribute to "role explosion" - over time, unused roles accumulate and make access management increasingly complex
How It Works: The scanner compares two data sources:
User-Role Assignments: Which users have which roles assigned to them
Query History: When each user-role combination was last used to run a query
If a role has been assigned but never used, or hasn't been used within the configured time period (default 90 days), it's flagged as a risk.
Recommended Actions:
Regularly audit role assignments and remove roles that are no longer needed
Implement automated role lifecycle management to revoke unused roles
Review access logs periodically to ensure all assigned roles serve a valid purpose
Consider implementing Just-In-Time (JIT) role activation for critical roles
2. Detect Sensitive Columns Without Masking Policies
What It Does: This scanner identifies database columns that have been tagged with privacy category tags (indicating they contain sensitive or personally identifiable information) but don't have masking policies applied to protect that data.
Why It Matters: Sensitive data like Social Security numbers, credit card information, email addresses, or health records require special protection. Masking policies ensure that when users query these columns, they only see data that's appropriate for their role - for example, a customer service representative might see only the last four digits of a credit card, while a data analyst might see fully masked values.
Without masking policies:
Compliance Violations: Regulations like GDPR, HIPAA, and PCI-DSS require protection of sensitive data
Data Exposure: Users with legitimate access to a table might see sensitive data they don't need
Audit Failures: Security audits will flag unprotected sensitive data as a critical finding
Reputation Risk: Data breaches involving unprotected sensitive information can severely damage your organization's reputation
How It Works: The scanner:
Finds all columns tagged with privacy category tags (indicating sensitive data)
Checks whether those columns have masking policies attached
Reports any tagged columns that lack protection
Recommended Actions:
Apply masking policies to all columns containing sensitive data
Enforce role-based access controls (RBAC) to restrict sensitive data access
Regularly review permissions to ensure only authorized personnel can access PII fields
Implement encryption and anonymization techniques where applicable
Establish a data classification process to ensure all sensitive data is properly tagged
3. Detect Roles Accessing External Storage
What It Does: This scanner identifies which roles have usage privileges on external stages - these are connections to storage systems outside of Snowflake (like AWS S3, Azure Blob Storage, or Google Cloud Storage). It shows you which external storage locations are accessible and which roles can access them.
Why It Matters: External stages allow data to move in and out of Snowflake, which is powerful but also risky:
Data Exfiltration Risk: Unauthorized access to external stages could allow someone to export sensitive data outside your Snowflake environment
Compliance Concerns: Data movement to external systems may violate data residency or privacy regulations
Audit Complexity: As your organization grows and roles multiply, it becomes difficult to track who has access to external data sources
Attack Surface: External stages create additional entry points that need to be monitored and controlled
How It Works: The scanner examines:
All external stages configured in your Snowflake account
Which roles have been granted USAGE privileges on those stages
Groups stages by their external URL to show all roles that can access each external storage location
Recommended Actions:
Review all roles with external stage access and validate that access is necessary
Restrict external stage access to only roles that require it for legitimate business purposes
Monitor data movement logs to detect unauthorized access attempts
Apply strict policies on data export and ensure security measures are in place for outbound transfers
Consider implementing data loss prevention (DLP) tools to monitor external data access
4. Detect System Defined Role Assignments
What It Does: This scanner identifies users who have been granted system-defined roles with elevated privileges. By default, it monitors for the four most powerful system roles: ACCOUNTADMIN, SYSADMIN, SECURITYADMIN, and USERADMIN. It can exclude specific users from the report (via an allowlist) if they're authorized to have these roles.
Why It Matters: System-defined roles in Snowflake have extensive privileges:
ACCOUNTADMIN: Full control over the entire Snowflake account
SYSADMIN: Can create and manage all objects except users and roles
SECURITYADMIN: Can manage users, roles, and security policies
USERADMIN: Can create and manage users and roles
Having too many users with these roles creates significant security risks:
Privilege Escalation: If a user with high privileges is compromised, attackers gain extensive access
Accidental Damage: Users with excessive privileges might accidentally modify or delete critical data
Compliance Issues: Regulations often require limiting administrative access
Audit Challenges: Auditors expect to see strict controls on who has administrative access
How It Works: The scanner:
Identifies all users who have been granted system-defined roles
Excludes users on the allowlist (pre-approved users who should have these roles)
Reports remaining users with their assigned system roles
Recommended Actions:
Regularly audit users with high privileges and validate that those grants are necessary
Implement the principle of least privilege (PoLP) - grant only the minimum access needed
Use Just-In-Time (JIT) privilege escalation to grant elevated privileges only when required
Set up alerts to track and report any unauthorized privilege escalations
Maintain a documented list of authorized administrative users
Consider using role hierarchies instead of direct system role assignments
Understanding Scanner Results
Each scanner provides several key pieces of information:
Risk Identification
Risk ID: A unique identifier for this type of risk
Risk Name: A human-readable name describing the risk
Scanner Type: Vulnerability
Impact Assessment
Total At-Risk Count: The number of entities (users, columns, stages, etc.) that have this risk
Severity: Automatically calculated based on the count (LOW, MEDIUM, HIGH, or CRITICAL)
Impact Description: An explanation of why this risk matters to your organization
Detailed Findings
At-Risk Entities: A list of specific users, columns, or other objects that need attention
Each entity includes:
Entity ID: A unique identifier
Entity Name: The name of the user, column, or object
Entity Object Type: What kind of entity it is (USER, COLUMN, EXTERNAL_STAGE)
Entity Detail: Additional context about the specific finding
Remediation Guidance
Suggested Action: Step-by-step recommendations for addressing the identified risks
Best Practices
Run Scans Regularly: Schedule scans to run on a regular basis (weekly or monthly) to catch issues early
Review Severity Levels: Pay special attention to HIGH and CRITICAL findings, but don't ignore LOW and MEDIUM issues
Act on Findings: Use the remediation guidance to address identified risks promptly
Maintain Allowlists: Keep your allowlists up to date to ensure legitimate access isn't flagged
Document Decisions: When you choose not to remediate a finding, document why for audit purposes
Integrate with Processes: Make scanner results part of your regular security review and compliance processes
Support and Resources
For more information about role management and security best practices, refer to:
Last updated
Was this helpful?