Snowflake Compliance Mod

Run individual configuration, compliance and security controls or full compliance benchmarks for Security Overview and Best Practices across all your Snowflake accounts.

References

Snowflake is a single, integrated platform delivered as-a-service. It features storage, compute, and global services layers that are physically separated but logically integrated. Data workloads scale independently from one another, making it an ideal platform for data warehousing, data lakes, data engineering, data science, modern data sharing, and developing data applications.

Snowflake Security Overview and Best Practices provides an overview of security features and best practice guidelines for securing your data in Snowflake.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.

Documentation

Benchmarks and controls →
Named queries →

Getting started

Installation

Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the Snowflake plugin with Steampipe:

steampipe plugin install snowflake

Clone:

git clone https://github.com/turbot/steampipe-mod-snowflake-compliance.git
cd steampipe-mod-snowflake-compliance

Usage

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at https://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all benchmarks:

steampipe check all

Run a single benchmark:

steampipe check benchmark.security_overview

Run a specific control:

steampipe check control.security_overview_iam_user_default_role_is_set

Different output formats are also available, for more information please see Output Formats.

Credentials

This mod uses the credentials configured in the Steampipe Snowflake plugin.

Configuration

Several benchmarks have input variables that can be configured to better match your environment and requirements. Each variable has a default defined in its source file, e.g., security_overview/network_security.sp, but these can be overriden in several ways:

Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

Pass in a value on the command line:

steampipe check benchmark.security_overview_network_security --var 'allowed_ips=["192.168.1.0/24", "172.10.1.0/24"]'

Set an environment variable:
```
SP_VAR_allowed_ips='["192.168.1.0/24", "172.10.1.0/24"]' steampipe check benchmark.security_overview_network_security
```
- Note: When using environment variables, if the variable is defined in steampipe.spvars or passed in through the command line, either of those will take precedence over the environment variable value. For more information on variable definition precedence, please see the link below.

These are only some of the ways you can set variables. For a full list, please see Passing Input Variables.

Contributing

If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.

Join our Slack community → and hang out with other Mod developers.

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues:

turbot/snowflake_compliance