Appendix
Glossary, scope and assumptions, and references.
Glossary
| Term | Meaning in this report |
|---|---|
ACCOUNT_USAGE |
The schema in the SNOWFLAKE shared database that exposes account-level audit and inventory views (LOGIN_HISTORY, QUERY_HISTORY, STAGES, SHARES, etc.). Latency is approximately 45 minutes. |
| Snowflake Trail | Newer near-real-time audit surface; lower latency than ACCOUNT_USAGE and covers some events not visible there. The right source for time-sensitive alerting pipelines. |
| Trust Center | Snowflake's first-party security-posture scanner. The "Security Essentials" pack flags missing MFA, missing network policies, and over-privileged service users. |
| Horizon Catalog | Snowflake's governance plane: data classification and tagging, column- and row-level security, masking and tokenization policies, and Cortex AI Guardrails. |
| Cortex Code | Agentic CLI that operates against a developer's local filesystem, can run shell commands, and holds cached Snowflake tokens. Subject of CVE-2026-6442. |
| Cortex Analyst | Text-to-SQL over a curated semantic model. Constrained to SELECT at the Analyst boundary; an Agent that wraps Analyst is not so constrained. |
| Cortex Search | Embedding-based search over customer-indexed documents. Indexed content becomes a potential indirect-prompt-injection delivery channel for downstream Agents. |
| Cortex Agents | Orchestration layer that combines Cortex Analyst, Cortex Search, and tool calls (including MCP). Inherits the trust profile of every constituent component. |
| NAAAPS | Native App Anti-Abuse Pipeline Service — Snowflake's automated review pipeline for every new Native App version or patch. Auto-approve or escalate to manual review. |
| SPCS | Snowpark Container Services — container hosting inside a Snowflake account, with strict default network isolation modulated by customer-managed EXTERNAL ACCESS INTEGRATIONs. |
| Storage Integration | Snowflake object that binds the warehouse to an IAM role (or Azure managed identity / GCP service account) in the customer's cloud account, enabling external-stage reads and writes. |
| External Function | SQL-callable function whose implementation lives in AWS API Gateway, Azure API Management, or Google Cloud Run. The execution role of the backing function is the trust boundary. |
| Direct Share | Cross-account read access granted by CREATE SHARE and ALTER SHARE ... ADD ACCOUNTS. Data motion runs server-side; no QUERY_HISTORY entry on the consumer side for the data itself. |
| Replication Group | Snowflake primitive for bulk replication of databases and integration objects across accounts and regions. Useful for DR; abusable for query-history-bypass exfil. |
| Reader Account | Provider-controlled Snowflake tenant created for a consumer who does not have their own Snowflake contract. Misconfigured reader accounts can serve as unmanaged exfil destinations. |
| PAT | Programmatic Access Token — long-lived bearer token scoped to a specific role and (optionally) a specific network policy. GA 2024/2025. |
| SCIM | System for Cross-domain Identity Management — the IdP-side provisioning channel that syncs users and group memberships into Snowflake. The SCIM bearer token is the trust article. |
| MCP | Model Context Protocol — open protocol for exposing tools to LLM-driven agents. Cortex Agents can consume MCP tools; tool descriptors and tool output flow into the Agent's grounding context. |
| FROSTBITE | The reconnaissance utility Mandiant attributed to UNC5537 during the 2024 Snowflake breach campaign — enumerated users, roles, current IP, session IDs, and organization names via SQL. |
Scope and threat-model assumptions
In scope
- Snowflake authentication and identity (password, MFA, key-pair, OAuth, SAML, SCIM, PATs).
- Cortex AI surface — Code, Analyst, Search, Agents, Document AI — including MCP tool integrations.
- Native Apps and the Marketplace consumer / provider trust boundary.
- Snowpark Container Services and Streamlit-in-Snowflake.
- External Functions and Storage Integrations as outbound trust paths into customer cloud accounts.
- Data Sharing primitives: Direct Shares, Replication Groups, Reader Accounts.
- Execution primitives: stored procedures, UDFs, Tasks.
- Detection surface:
ACCOUNT_USAGE, Snowflake Trail, Trust Center, Cortex AI audit events.
Out of scope and known limits
- Server-side Snowflake service vulnerabilities. Multi-tenant SaaS issues are remediated server-side and rarely receive CVEs. The Trust Center and platform security bulletins are the authoritative signal for service-side posture.
- Cortex Guardrails detection-quality characterization. Guardrails is referenced as a detection layer; this assessment does not empirically measure its false-positive / false-negative rate on a corpus of public indirect-prompt-injection payloads.
- SPCS egress-filter depth. Service-spec misconfiguration is the modeled threat (Chain H); this report does not characterize whether the egress inspection layer is DNS-only, SNI, or full L7.
- Snowflake Trail vs. ACCOUNT_USAGE event-coverage diff. Both audit surfaces are referenced; a precise field-by-field mapping is a follow-on effort.
- Vendor-side disclosures about Cortex inference egress. Exact payload shape, retention, and cross-invocation caching at Anthropic / Azure-OpenAI are vendor-side facts to obtain through a DPA review, not red-team activity.
Threat-model assumptions
- Attacker is financially motivated, capable, and patient — the UNC5537 profile, augmented with 2026-era AI-aware tradecraft.
- Initial-access dictionary includes infostealer logs, AiTM-captured federated cookies, IdP compromise, CI/CD compromise, and developer-host compromise.
- Customer has a SIEM that receives connector logs and at least some Snowflake audit events.
- The customer's IdP (Entra / Okta / Ping) is trusted for human users; the IdP is itself a soft target for chain D.
- Snowflake's platform-default controls as of 2026 are in place but customer adoption of opt-in hardening (network policies on key-pair users, MFA-verified federation, audit replication across regions) is uneven.
Companion material in this repository
docs/analysis/snowflake-platform-attack-surface-2026.md— the analytical companion to this report.docs/analysis/entra-2026-state-of-play.md— relevant for chain D (federated-IdP compromise).docs/analysis/aitm-kit-market-2026.md— relevant for chain A and chain D credential-theft initial access.docs/methodology/llm-attack-modeling.md— Cortex chains B and I directly extend this methodology.docs/methodology/ci-cd-attack-modeling.md— relevant for chain C (provider-account compromise) and chain F (CI-runner compromise).