Control: ACCOUNTADMIN role must not be set as the default role for users
Grant the ACCOUNTADMIN role to the user(s), but do not set this role as their default. Instead, designate a lower-level administrative role (e.g. SYSADMIN) or custom role as their default. This helps prevent account administrators from inadvertently using the ACCOUNTADMIN role to create objects.
Run the control in your terminal:
steampipe check snowflake_compliance.control.security_overview_iam_user_accountadmin_must_not_be_default_role
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share snowflake_compliance.control.security_overview_iam_user_accountadmin_must_not_be_default_role
This control uses a named query:iam_user_default_role_must_not_be_accountadmin