⭐ Repository → 📁 Compliance Engine → 📁 CloudAware → 📁 Snowflake → 📁 User

🛡️ Snowflake User Default Role is ACCOUNTADMIN🟢

• Contextual name: 🛡️ Default Role is ACCOUNTADMIN🟢
• ID: /ce/ca/snowflake/user/account-admin-default-role
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Snowflake User
  • 🔌 Snowflake User - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that the ACCOUNTADMIN role is not set as the default role for Snowflake Users.

Rationale

The ACCOUNTADMIN role grants full control over account parameters, billing data, user/role definitions, warehouses, and all metadata objects. Defaulting to this role for routine queries or development tasks exposes critical controls and sensitive information unnecessarily.

Forcing users to explicitly switch into ACCOUNTADMIN for high-impact tasks ensures that every use of the role is a deliberate action, improving incident investigations and reducing accidental misuse.

Snowflake’s RBAC model provides specialized system roles (e.g., SYSADMIN, SECURITYADMIN, USERADMIN) that should serve as default roles for administrators of specific functions.

Audit

This policy marks a Snowflake User as INCOMPLIANT if Default Role Name field is set to ACCOUNTADMIN.

Remediation

Open File

Remediation

Using SQL

The executing role must hold the OWNERSHIP privilege on the target user account to modify its properties via SQL.

Execute the following SQL command for each user found to have ACCOUNTADMIN as their default role:

ALTER USER {{username}}
    SET DEFAULT_ROLE = {{non_accountadmin_role}};

Replace {{non_accountadmin_role}} with an appropriate, lower-privileged role that aligns with the user’s operational needs (e.g., SYSADMIN, SECURITYADMIN, or a custom business role).

• If the user legitimately requires elevated privileges, retain access to ACCOUNTADMIN, but require them to explicitly activate it via the USE ROLE ACCOUNTADMIN; command when necessary.

• Revoke or reassign this role where it is no longer justified, following your organization’s access control and change management policies.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 User Account Management			17		no data