Control: ACCOUNTADMIN role must not be set as the default role for users

Description

Grant the ACCOUNTADMIN role to the user(s), but do not set this role as their default. Instead, designate a lower-level administrative role (e.g. SYSADMIN) or custom role as their default. This helps prevent account administrators from inadvertently using the ACCOUNTADMIN role to create objects.

Usage

Run the control in your terminal:

powerpipe control run snowflake_compliance.control.security_overview_iam_user_accountadmin_must_not_be_default_role

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run snowflake_compliance.control.security_overview_iam_user_accountadmin_must_not_be_default_role --share

SQL

This control uses a named query:

select
  name as resource,
  case when default_role = 'ACCOUNTADMIN' then
    'alarm'
  else
    'ok'
  end as status,
  name || ' default_role is ' || default_role || '.' as reason,
  account
from
  snowflake_user;