turbot/snowflake_compliance
GitHub
Loading controls...

Control: ACCOUNTADMIN role must not be set as the default role for users

Description

Grant the ACCOUNTADMIN role to the user(s), but do not set this role as their default. Instead, designate a lower-level administrative role (e.g. SYSADMIN) or custom role as their default. This helps prevent account administrators from inadvertently using the ACCOUNTADMIN role to create objects.

Usage

Run the control in your terminal:

steampipe check snowflake_compliance.control.security_overview_iam_user_accountadmin_must_not_be_default_role

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share snowflake_compliance.control.security_overview_iam_user_accountadmin_must_not_be_default_role

SQL

This control uses a named query:

iam_user_default_role_must_not_be_accountadmin