Skip to content

The 34 Snowflake security checks Black Cat runs

Black Cat SSPM evaluates 34 security policies against your Snowflake configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highPassword Only Auth

Replace password-only authentication with MFA or key pair authentication

highService Account Password Auth

Switch service account authentication from password to key pair and set user type to SERVICE

highACCOUNTADMIN Default Role

Change the user's default role from ACCOUNTADMIN to a lower-privilege role

highExcessive Admin Roles

Reduce the number of users with ACCOUNTADMIN or SYSADMIN roles to the minimum necessary

highNo Separation Of Duties

Revoke conflicting admin roles so no single user holds both ACCOUNTADMIN and SYSADMIN or SECURITYADMIN

highDisabled User With Active Grants

Revoke all role grants from disabled Snowflake user accounts

mediumDormant User

Disable or remove dormant user accounts that have been inactive for 90+ days

mediumUser Not Disabled

Disable long-inactive user accounts that have not logged in for 180+ days

highACCOUNTADMIN Excessive Grants

Reduce the number of users granted the ACCOUNTADMIN role to three or fewer

mediumWeak Password Policy

Strengthen the Snowflake password policy to enforce minimum length, expiry, and lockout requirements

highOAuth Integration Permissive

Restrict the OAuth security integration by attaching a network policy and scoping allowed roles

configuration

mediumLow Data Retention

Increase the minimum data retention period to at least 7 days to support point-in-time recovery

mediumSSO Login Page Disabled

Enable the federated SSO login page so users can authenticate via your identity provider

mediumNo SSO Configured

Configure a SAML2 security integration to enable SSO via your corporate identity provider

mediumNo SCIM Configured

Configure a SCIM security integration to enable automated user provisioning and deprovisioning

lowWarehouse No Auto Suspend

Enable auto-suspend on the warehouse to automatically stop it after a period of inactivity

lowWarehouse No Auto Resume

Enable auto-resume on the warehouse so it starts automatically when queries arrive

lowWarehouse No Resource Monitor

Assign a resource monitor to the warehouse to track and cap credit usage

lowWarehouse Oversized

Downsize the warehouse to an appropriate size for its workload to reduce credit consumption

mediumNo Account Resource Monitor

Create an account-level resource monitor to track and cap total credit consumption

lowResource Monitor Notify Only

Add suspend or suspend-immediate triggers to the resource monitor so it automatically stops warehouses at the credit limit

data leakage

highNo Storage Integration Required

Enforce storage integrations for external stage creation to prevent unauthorized cloud storage access

highUnload To Inline URL

Prevent data unloading to inline cloud storage URLs to block unauthorized data exfiltration

mediumUnload To Internal Stages

Prevent data unloading to Snowflake internal stages to reduce data exfiltration risk

mediumOutbound Share Review

Review and validate all outbound data shares to confirm they are still necessary and appropriately scoped

mediumShare To Many Accounts

Reduce the number of accounts consuming a data share to the minimum necessary

mediumShare Listing Unrestricted

Enable listing restrictions on outbound data shares

encryption

mediumData Rekeying Disabled

Enable periodic data rekeying to ensure encryption keys are regularly rotated

mfa

criticalMFA Not Enabled

Enable MFA for the Snowflake user account

criticalAuthentication Policy No MFA

Update the authentication policy to require MFA for all users

network security

highNo Network Policy

Create and apply an account-level network policy to restrict Snowflake access by IP address

highNetwork Policy Wildcard

Remove the 0.0.0.0/0 wildcard from the network policy allowed IP list and restrict to known CIDRs

lowNetwork Policy No Blocklist

Add a blocked IP list to the network policy to explicitly deny known malicious IP ranges

highIntegration No Network Policy

Attach a network policy to the security integration to restrict access by IP address

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial