Exam SnowPro Core topic 1 question 70 discussion

At a minimum, Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.

If the account was created after the 2024_08 bundle was enabled, then all human users must enroll in MFA by default. For more information about this default behavior for new accounts, see the following:

https://docs.snowflake.com/en/user-guide/security-mfa Attention At a minimum, Snowflake strongly recommends that all users with the ACCOUNTADMIN role be required to use MFA.

https://www.snowflake.com/en/blog/multi-factor-identification-default/

Answer is B but recently Snowflake announced that they are pushing for ALL users to have MFA and are requiring it by default. https://www.snowflake.com/en/blog/multi-factor-identification-default/

Snowflake recommends that, at a minimum, all users with the following roles should be enrolled in Multi-Factor Authentication (MFA): ACCOUNTADMIN SYSADMIN SECURITYADMIN

Snowflake Article, June 1 2024 We strongly recommend that customers enable multi-factor authentication (MFA) for admin users and users with access to sensitive data. This article provides instructions for reviewing which user accounts not currently leveraging MFA. Snowflake supports multi-factor authentication (i.e., MFA) to provide increased login security for users connecting to Snowflake. MFA support is provided as an integrated Snowflake feature, powered by the Duo Security service, which is managed completely by Snowflake. At a minimum, Snowflake strongly recommends that all users with the following system-defined roles enable MFA: ACCOUNTADMIN SECURITYADMIN SYSADMIN

answer B

B. SECURITYADMIN, ACCOUNTADMIN, SYSADMIN as of June 1, 2024

It doesn't make sense to me why they don't recommend securityadmin and sysadmin with MFA, but they really only recommend AccountAdmin. So D is correct.

SECURITYADMIN, ACCOUNTADMIN, SYSADMIN

B. SECURITYADMIN, ACCOUNTADMIN, SYSADMIN as of June 1, 2024

● Enforce MFA for all human users ● Enforce External OAuth or Key-Pair for programmatic user access

account and security admin

Answer must be B since 1 June 2024: At a minimum, Snowflake strongly recommends that all users with the following system-defined roles enable MFA: ACCOUNTADMIN. SECURITYADMIN. SYSADMIN.1 June 2024

As of the breaches that have occurred lately as of June 2024. Option A is now the correct answer.

The recommended roles for Multi-Factor Authentication (MFA) in Snowflake are: C. SECURITYADMIN, ACCOUNTADMIN Here's why: SECURITYADMIN: This role has broad privileges for managing security policies, users, and access controls. An unauthorized user gaining access to a SECURITYADMIN account could cause significant security risks. Enforcing MFA adds an extra layer of protection for such accounts. ACCOUNTADMIN: This role can manage account settings, users, and billing. MFA helps safeguard these critical administrative controls. While not explicitly mentioned in the minimum recommendation: SYSADMIN: The SYSADMIN role has full control over the Snowflake account. Ideally, MFA should be enabled for this role as well for maximum security. Public: The PUBLIC role has limited privileges and typically doesn't require MFA.