Skip to main content

🛡️ Snowflake User Default Role is ACCOUNTADMIN🟢

Logic

Description

Open File

Description

Ensure that the ACCOUNTADMIN role is not set as the default role for Snowflake Users.

Rationale

The ACCOUNTADMIN role grants full control over account parameters, billing data, user/role definitions, warehouses, and all metadata objects. Defaulting to this role for routine queries or development tasks exposes critical controls and sensitive information unnecessarily.

Forcing users to explicitly switch into ACCOUNTADMIN for high-impact tasks ensures that every use of the role is a deliberate action, improving incident investigations and reducing accidental misuse.

Snowflake’s RBAC model provides specialized system roles (e.g., SYSADMIN, SECURITYADMIN, USERADMIN) that should serve as default roles for administrators of specific functions.

Audit

This policy marks a Snowflake User as INCOMPLIANT if Default Role Name field is set to ACCOUNTADMIN.

Remediation

Open File

Remediation

Using SQL

The executing role must hold the OWNERSHIP privilege on the target user account to modify its properties via SQL.

Execute the following SQL command for each user found to have ACCOUNTADMIN as their default role:

ALTER USER {{username}}
    SET DEFAULT_ROLE = {{non_accountadmin_role}};

Replace {{non_accountadmin_role}} with an appropriate, lower-privileged role that aligns with the user’s operational needs (e.g., SYSADMIN, SECURITYADMIN, or a custom business role).

  • If the user legitimately requires elevated privileges, retain access to ACCOUNTADMIN, but require them to explicitly activate it via the USE ROLE ACCOUNTADMIN; command when necessary.

  • Revoke or reassign this role where it is no longer justified, following your organization’s access control and change management policies.

policy.yaml

Open File

Linked Framework Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 Cloudaware Framework → 💼 User Account Management19no data