turbot/snowflake_compliance

Control: Enable MFA for users to provide an additional layer of security

Description

Snowflake supports multi-factor authentication (MFA) to provide increased login security for users connecting to Snowflake. MFA support is provided as an integrated Snowflake feature, powered by the Duo Security service, which is managed completely by Snowflake.

Users do not need to separately sign up with Duo or perform any tasks, other than installing the Duo Mobile application, which is supported on multiple smart phone platforms (iOS, Android, Windows, etc.). See the Duo User Guide for more information about supported platforms/devices and how Duo multi-factor authentication works.

MFA is enabled on a per-user basis; however, at this time, users are not automatically enrolled in MFA. To use MFA, users must enroll themselves.

At a minimum, Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.

Usage

Run the control in your terminal:

powerpipe control run snowflake_compliance.control.security_overview_iam_user_with_built_in_duo_mfa_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run snowflake_compliance.control.security_overview_iam_user_with_built_in_duo_mfa_enabled --share

SQL

This control uses a named query:

iam_user_with_built_in_duo_mfa_enabled