The 34 Snowflake security checks Black Cat runs
Black Cat SSPM evaluates 34 security policies against your Snowflake configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Replace password-only authentication with MFA or key pair authentication
Switch service account authentication from password to key pair and set user type to SERVICE
Change the user's default role from ACCOUNTADMIN to a lower-privilege role
Reduce the number of users with ACCOUNTADMIN or SYSADMIN roles to the minimum necessary
Revoke conflicting admin roles so no single user holds both ACCOUNTADMIN and SYSADMIN or SECURITYADMIN
Revoke all role grants from disabled Snowflake user accounts
Disable or remove dormant user accounts that have been inactive for 90+ days
Disable long-inactive user accounts that have not logged in for 180+ days
Reduce the number of users granted the ACCOUNTADMIN role to three or fewer
Strengthen the Snowflake password policy to enforce minimum length, expiry, and lockout requirements
Restrict the OAuth security integration by attaching a network policy and scoping allowed roles
configuration
Increase the minimum data retention period to at least 7 days to support point-in-time recovery
Enable the federated SSO login page so users can authenticate via your identity provider
Configure a SAML2 security integration to enable SSO via your corporate identity provider
Configure a SCIM security integration to enable automated user provisioning and deprovisioning
Enable auto-suspend on the warehouse to automatically stop it after a period of inactivity
Enable auto-resume on the warehouse so it starts automatically when queries arrive
Assign a resource monitor to the warehouse to track and cap credit usage
Downsize the warehouse to an appropriate size for its workload to reduce credit consumption
Create an account-level resource monitor to track and cap total credit consumption
Add suspend or suspend-immediate triggers to the resource monitor so it automatically stops warehouses at the credit limit
data leakage
Enforce storage integrations for external stage creation to prevent unauthorized cloud storage access
Prevent data unloading to inline cloud storage URLs to block unauthorized data exfiltration
Prevent data unloading to Snowflake internal stages to reduce data exfiltration risk
Review and validate all outbound data shares to confirm they are still necessary and appropriately scoped
Reduce the number of accounts consuming a data share to the minimum necessary
Enable listing restrictions on outbound data shares
encryption
Enable periodic data rekeying to ensure encryption keys are regularly rotated
mfa
Enable MFA for the Snowflake user account
Update the authentication policy to require MFA for all users
network security
Create and apply an account-level network policy to restrict Snowflake access by IP address
Remove the 0.0.0.0/0 wildcard from the network policy allowed IP list and restrict to known CIDRs
Add a blocked IP list to the network policy to explicitly deny known malicious IP ranges
Attach a network policy to the security integration to restrict access by IP address