π Snowflake User MFA is not enabled π’
- Contextual name: π MFA is not enabled π’
- ID:
/ce/ca/snowflake/user/mfa-is-not-enabled - Located in: π Snowflake User
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
- π Snowflake User
- π Snowflake User - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
Ensure that Multi-Factor Authentication (MFA) is enabled for Snowflake user accounts. Snowflake provides native MFA support via its integration with Duo Security, which is fully managed by Snowflake.
Rationaleβ
MFA introduces an additional verification layer beyond the standard username and password, significantly mitigating the risk of unauthorized access due to compromised credentials.
Impactβ
Accounts without MFA are more susceptible to common attack vectors such as brute-force attempts, credential stuffing, and password leaks. The absence of MFA increases the likelihood of unauthorized access, potentially resulting in data exposure, privilege escalation, or malicious activity within the Snowflake environment.
Auditβ
This policy marks a Snowflake User as
INCOMPLIANTif:
- The
Has Passwordfield is true, and- The
Duo Security Is Enabledfield is not set to true.A User is marked as
INAPPLICABLEif theHas Passwordfield is not set to true.
Remediationβ
Remediationβ
Multi-Factor Authentication (MFA) is configured on a per-user basis in Snowflake. However, user enrollment is not automatic, each user must complete the enrollment process individually.
Enforcing MFA Enrollmentβ
The strategy for requiring MFA depends on whether your Snowflake account existed prior to the activation of the
2024_08behavior change bundle.
Accounts Created Before the 2024_08 Bundle Activation
For accounts provisioned prior to this behavior change, you must explicitly configure an authentication policy to require MFA for users authenticating with passwords.
Exampleβ
To enforce MFA for all users authenticating via password, execute the following:
CREATE AUTHENTICATION POLICY require_mfa_with_password_authentication_policy
MFA_AUTHENTICATION_METHODS = ('PASSWORD')
MFA_ENROLLMENT = REQUIRED;After creating the policy, apply it at the desired scope (user, role, or account level).
Accounts Created After the 2024_08 Bundle Activation
... see more
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Multi-Factor Authentication (MFA) Implementation | 17 |