π Snowflake User password is not rotated every 90 days π’
- Contextual name: π Password is not rotated every 90 days π’
- ID:
/ce/ca/snowflake/user/password-is-not-rotated-every-90-days - Located in: π Snowflake User
Flagsβ
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
Our Metadataβ
- Policy Type:
COMPLIANCE_POLICY - Policy Category:
SECURITY
Logicβ
- π§ prod.logic.yaml π’
- π Snowflake User
- π Snowflake User - object.extracts.yaml
- π§ͺ test-data.json
Descriptionβ
Descriptionβ
Ensure that Snowflake user account passwords are rotated at regular intervals, with a default threshold of 90 days.
Rationalβ
In the event a password is exposed or exfiltrated, limiting its validity period minimizes the window of opportunity for unauthorized access. Regular rotation also mitigates the risks associated with reused, forgotten, or improperly stored credentials.
Impactβ
This policy enforces a password rotation interval of 90 days, aligning with common security best practices. Organizations may need to adjust this threshold to meet internal risk management policies or external regulatory requirements.
Auditβ
This policy marks a Snowflake User as
INCOMPLIANTif:
- The
Has Passwordfield is true, and- The
Password Last Set Timeexceeds 90 days.A User is marked as
INAPPLICABLEif theHas Passwordfield is not set to true.
Remediationβ
Remediationβ
Password Rotationβ
Using SQLβ
The executing role must hold the OWNERSHIP privilege on the target user account to modify its properties via SQL.
- Reset the User Password:
ALTER USER {{username}}
SET PASSWORD = '{{new_password}}';
- Enforce Password Change on Next Login (Recommended):
ALTER USER <username> SET MUST_CHANGE_PASSWORD = TRUE;
policy.yamlβ
Linked Framework Sectionsβ
| Section | Sub Sections | Internal Rules | Policies | Flags |
|---|---|---|---|---|
| πΌ Cloudaware Framework β πΌ Credential Lifecycle Management | 18 |