🛡️ Snowflake User MFA is not enabled🟢

• Contextual name: 🛡️ MFA is not enabled🟢
• ID: /ce/ca/snowflake/user/mfa-is-not-enabled
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Snowflake User
  • 🔌 Snowflake User - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

Ensure that Multi-Factor Authentication (MFA) is enabled for Snowflake user accounts. Snowflake provides native MFA support via its integration with Duo Security, which is fully managed by Snowflake.

Rationale

MFA introduces an additional verification layer beyond the standard username and password, significantly mitigating the risk of unauthorized access due to compromised credentials.

Impact

Accounts without MFA are more susceptible to common attack vectors such as brute-force attempts, credential stuffing, and password leaks. The absence of MFA increases the likelihood of unauthorized access, potentially resulting in data exposure, privilege escalation, or malicious activity within the Snowflake environment.

Audit

This policy marks a Snowflake User as INCOMPLIANT if:

• The Has Password field is true, and
• The Duo Security Is Enabled field is not set to true.

A User is marked as INAPPLICABLE if the Has Password field is not set to true.

Remediation

Open File

Remediation

Multi-Factor Authentication (MFA) is configured on a per-user basis in Snowflake. However, user enrollment is not automatic, each user must complete the enrollment process individually.

Enforcing MFA Enrollment

The strategy for requiring MFA depends on whether your Snowflake account existed prior to the activation of the 2024_08 behavior change bundle.

1. Accounts Created Before the 2024_08 Bundle Activation

   For accounts provisioned prior to this behavior change, you must explicitly configure an authentication policy to require MFA for users authenticating with passwords.

   Example

   To enforce MFA for all users authenticating via password, execute the following:

   CREATE AUTHENTICATION POLICY require_mfa_with_password_authentication_policy
       MFA_AUTHENTICATION_METHODS = ('PASSWORD')
       MFA_ENROLLMENT = REQUIRED;

   After creating the policy, apply it at the desired scope (user, role, or account level).

2. Accounts Created After the 2024_08 Bundle Activation

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 Cloudaware Framework → 💼 Multi-Factor Authentication (MFA) Implementation			16		no data