Control: Enable MFA for users to provide an additional layer of security
Description
Snowflake supports multi-factor authentication (MFA) to provide increased login security for users connecting to Snowflake. MFA support is provided as an integrated Snowflake feature, powered by the Duo Security service, which is managed completely by Snowflake.
Users do not need to separately sign up with Duo or perform any tasks, other than installing the Duo Mobile application, which is supported on multiple smart phone platforms (iOS, Android, Windows, etc.). See the Duo User Guide for more information about supported platforms/devices and how Duo multi-factor authentication works.
MFA is enabled on a per-user basis; however, at this time, users are not automatically enrolled in MFA. To use MFA, users must enroll themselves.
At a minimum, Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.
Usage
Run the control in your terminal:
powerpipe control run snowflake_compliance.control.security_overview_iam_user_with_built_in_duo_mfa_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run snowflake_compliance.control.security_overview_iam_user_with_built_in_duo_mfa_enabled --shareSQL
This control uses a named query:
select name as resource, case when ext_authn_duo then 'ok' else 'alarm' end as status, case when ext_authn_duo then name || ' built-in Duo MFA enabled.' else name || ' built-in Duo MFA not enabled.' end as reason, accountfrom snowflake_user;