SnowSentry Trust Center Extension

# Sentry Trust Center Extension A [Trust Center extension](https://docs.snowflake.com/en/user-guide/trust-center/trust-center-extensions#develop-a-trust-center-extension) based on [Snowflake Sentry](https://github.com/Snowflake-Labs/Sentry) security scanners. Install the application to integrate scanner packages with the Trust Center and continuously monitor your Snowflake account for vulnerabilities, misconfigurations, and suspicious activity. This extension provides additional security coverage beyond the native first-party scanner packages on Trust Center (e.g., CIS Benchmarks, Threat Intelligence). Furthermore, it is designed to serve as a comprehensive template, providing your team with a foundation to build, customize, and deploy your own custom scanning logic on top of the Trust Center. ***Please note:** While the application is free to install, executing the scanners utilizes Snowflake compute resources and will incur credit consumption.* <p><br/></p> # Scanner packages After installation, the following **6 scanner packages** are expected to be available in the Trust Center. <p><br/></p> ## Secrets & Privileged Access Scans for security risks related to credential management, privileged access grants, and sensitive configuration changes that could expose the account to unauthorized access. - **Stale users** (Violation/Vulnerability) — Detects inactive user accounts - **Grants to PUBLIC role** (Detection) — Detects privileges granted to all users - **Privileged object changes** (Detection) — Monitors changes to sensitive objects - **Grants to unmanaged schemas** (Violation/Vulnerability) — Detects grants bypassing schema ownership - **Default role is ACCOUNTADMIN** (Violation/Vulnerability) — Users defaulting to full admin privileges <p><br/></p> ## Roles Scans for security risks in role-based access control including overly permissive roles, dangerous role grants, and unused access that violates least-privilege principles. - **ACCOUNTADMIN grants** (Detection) — Detects grants of full admin access - **Bloated Roles** (Violation/Vulnerability) — Roles with excessive privileges - **Least Used Role Grants** (Violation/Vulnerability) — Identifies dormant role assignments <p><br/></p> ## Users Scans for security risks related to user accounts including excessive access concentration, stale credentials, and accounts that may pose elevated risk if compromised. - **Most dangerous user** (Violation/Vulnerability) — Users with concentrated access - **Users by Password Age** (Violation/Vulnerability) — Detects stale passwords <p><br/></p> ## Configuration Scans for changes to security-critical configurations that control network access, authentication policies, and account-level settings. - **Network policy changes** (Detection) — Monitors network access control changes <p><br/></p> ## Authentication Scans for authentication-related security events including failed login attempts that may indicate credential attacks or account compromise attempts. - **Number of login failures** (Detection) — Detects potential credential attacks <p><br/></p> ## Sharing Scans for changes to data sharing configurations including shares, listings, and reader accounts that could expose data to unintended external parties. - **Reader account creation** (Detection) — Detects new external access points - **Listing changes monitor** (Detection) — Monitors Marketplace listing changes - **SHAREs changes monitor** (Detection) — Monitors data share modifications