turbot/snowflake_compliance

Control: Use managed access schemas to centralize grant management

Description

With regular (i.e. non-managed) schemas in a database, object owners (i.e. roles with the OWNERSHIP privilege on one or more objects) can grant access on those objects to other roles, with the option to further grant those roles the ability to manage object grants.

To further lock down object security, consider using managed access schemas. In a managed access schema, object owners lose the ability to make grant decisions. Only the schema owner (i.e. the role with the OWNERSHIP privilege on the schema) or a role with the MANAGE GRANTS privilege can grant privileges on objects in the schema, including future grants, centralizing privilege management.

Note that a role that holds the global MANAGE GRANTS privilege can grant additional privileges to the current (grantor) role.

Usage

Run the control in your terminal:

powerpipe control run snowflake_compliance.control.security_overview_iam_schema_managed_access

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run snowflake_compliance.control.security_overview_iam_schema_managed_access --share

SQL

This control uses a named query:

iam_schema_managed_access_enabled