{ "report_id": "SF-LAT-20260427-004934", "cloud": "snowflake", "account_label": "titan-snowflake-prod-20260427", "tenant": "titan-snowflake-prod-20260427", "connection_mode": "native", "rules_pack_last_pull": null, "llm_used": false, "generated_at": "2026-04-27T00:48:36+00:00", "summary": { "total_findings": 54, "by_severity": { "critical": 9, "high": 31, "medium": 14, "low": 0 }, "detectors_active": 31 }, "findings": [ { "FID": "SF-13DB9B6D", "Severity": "critical", "Detector": "SF-LAT-001", "DetectorName": "users_without_mfa", "Resource": "TITANBAD_STALE", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d) Person or Entity Authentication; CIS Snowflake 1.4", "Recommendation": "Enroll all human users in Duo or Snowflake-managed MFA. Service users should use RSA key-pair auth, not password+MFA.", "FixApplied": "ALTER USER SET MINS_TO_BYPASS_MFA = 0; -- then have user enroll in MFA", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 90, "RowDetail": { "email": "None" }, "Confidence": 0.5 }, { "FID": "SF-6E0E4AA1", "Severity": "critical", "Detector": "SF-LAT-001", "DetectorName": "users_without_mfa", "Resource": "TITANBAD_NOMFA2", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d) Person or Entity Authentication; CIS Snowflake 1.4", "Recommendation": "Enroll all human users in Duo or Snowflake-managed MFA. Service users should use RSA key-pair auth, not password+MFA.", "FixApplied": "ALTER USER SET MINS_TO_BYPASS_MFA = 0; -- then have user enroll in MFA", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 90, "RowDetail": { "email": "None" }, "Confidence": 0.5 }, { "FID": "SF-FB127BCB", "Severity": "critical", "Detector": "SF-LAT-001", "DetectorName": "users_without_mfa", "Resource": "TITANBAD_NOMFA1", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d) Person or Entity Authentication; CIS Snowflake 1.4", "Recommendation": "Enroll all human users in Duo or Snowflake-managed MFA. Service users should use RSA key-pair auth, not password+MFA.", "FixApplied": "ALTER USER SET MINS_TO_BYPASS_MFA = 0; -- then have user enroll in MFA", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 90, "RowDetail": { "email": "None" }, "Confidence": 0.5 }, { "FID": "SF-D2F50300", "Severity": "critical", "Detector": "SF-LAT-001", "DetectorName": "users_without_mfa", "Resource": "TITANADMIN", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d) Person or Entity Authentication; CIS Snowflake 1.4", "Recommendation": "Enroll all human users in Duo or Snowflake-managed MFA. Service users should use RSA key-pair auth, not password+MFA.", "FixApplied": "ALTER USER SET MINS_TO_BYPASS_MFA = 0; -- then have user enroll in MFA", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 90, "RowDetail": { "email": "info@titanaisec.com" }, "Confidence": 0.5 }, { "FID": "SF-759FEE07", "Severity": "critical", "Detector": "SF-LAT-001", "DetectorName": "users_without_mfa", "Resource": "SVC_TITANBAD_BROAD", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d) Person or Entity Authentication; CIS Snowflake 1.4", "Recommendation": "Enroll all human users in Duo or Snowflake-managed MFA. Service users should use RSA key-pair auth, not password+MFA.", "FixApplied": "ALTER USER SET MINS_TO_BYPASS_MFA = 0; -- then have user enroll in MFA", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 90, "RowDetail": { "email": "None" }, "Confidence": 0.5 }, { "FID": "SF-77DEBC9D", "Severity": "high", "Detector": "SF-LAT-002", "DetectorName": "users_password_auth", "Resource": "TITANADMIN", "Title": "Users authenticating with password instead of RSA key", "Citation": "CIS Snowflake 1.6; NIST 800-53 IA-5", "Recommendation": "Move service accounts to RSA key-pair authentication. Passwords are weaker, harder to rotate, and not auditable to per-call granularity.", "FixApplied": "ALTER USER SET RSA_PUBLIC_KEY=''; ALTER USER UNSET PASSWORD;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "email": "info@titanaisec.com", "type": "None" }, "Confidence": 0.5 }, { "FID": "SF-DEF9323B", "Severity": "high", "Detector": "SF-LAT-002", "DetectorName": "users_password_auth", "Resource": "TITANBAD_NOMFA1", "Title": "Users authenticating with password instead of RSA key", "Citation": "CIS Snowflake 1.6; NIST 800-53 IA-5", "Recommendation": "Move service accounts to RSA key-pair authentication. Passwords are weaker, harder to rotate, and not auditable to per-call granularity.", "FixApplied": "ALTER USER SET RSA_PUBLIC_KEY=''; ALTER USER UNSET PASSWORD;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "email": "None", "type": "PERSON" }, "Confidence": 0.5 }, { "FID": "SF-5A27C20A", "Severity": "high", "Detector": "SF-LAT-002", "DetectorName": "users_password_auth", "Resource": "TITANBAD_NOMFA2", "Title": "Users authenticating with password instead of RSA key", "Citation": "CIS Snowflake 1.6; NIST 800-53 IA-5", "Recommendation": "Move service accounts to RSA key-pair authentication. Passwords are weaker, harder to rotate, and not auditable to per-call granularity.", "FixApplied": "ALTER USER SET RSA_PUBLIC_KEY=''; ALTER USER UNSET PASSWORD;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "email": "None", "type": "PERSON" }, "Confidence": 0.5 }, { "FID": "SF-166BFB83", "Severity": "high", "Detector": "SF-LAT-002", "DetectorName": "users_password_auth", "Resource": "TITANBAD_STALE", "Title": "Users authenticating with password instead of RSA key", "Citation": "CIS Snowflake 1.6; NIST 800-53 IA-5", "Recommendation": "Move service accounts to RSA key-pair authentication. Passwords are weaker, harder to rotate, and not auditable to per-call granularity.", "FixApplied": "ALTER USER SET RSA_PUBLIC_KEY=''; ALTER USER UNSET PASSWORD;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "email": "None", "type": "PERSON" }, "Confidence": 0.5 }, { "FID": "SF-B2828195", "Severity": "high", "Detector": "SF-LAT-002", "DetectorName": "users_password_auth", "Resource": "SVC_TITANBAD_BROAD", "Title": "Users authenticating with password instead of RSA key", "Citation": "CIS Snowflake 1.6; NIST 800-53 IA-5", "Recommendation": "Move service accounts to RSA key-pair authentication. Passwords are weaker, harder to rotate, and not auditable to per-call granularity.", "FixApplied": "ALTER USER SET RSA_PUBLIC_KEY=''; ALTER USER UNSET PASSWORD;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "email": "None", "type": "PERSON" }, "Confidence": 0.5 }, { "FID": "SF-92328D32", "Severity": "medium", "Detector": "SF-LAT-003", "DetectorName": "stale_users", "Resource": "SVC_TITANBAD_BROAD", "Title": "Stale users (no login in 90 days)", "Citation": "CIS Snowflake 1.10; NIST 800-53 AC-2(3)", "Recommendation": "Disable users with no login in 90 days. Service accounts that legitimately do not log in should be tagged so they are not flagged.", "FixApplied": "ALTER USER SET DISABLED = TRUE;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "email": "None", "last_login": "never" }, "Confidence": 0.5 }, { "FID": "SF-34530C97", "Severity": "medium", "Detector": "SF-LAT-003", "DetectorName": "stale_users", "Resource": "TITANBAD_NOMFA2", "Title": "Stale users (no login in 90 days)", "Citation": "CIS Snowflake 1.10; NIST 800-53 AC-2(3)", "Recommendation": "Disable users with no login in 90 days. Service accounts that legitimately do not log in should be tagged so they are not flagged.", "FixApplied": "ALTER USER SET DISABLED = TRUE;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "email": "None", "last_login": "never" }, "Confidence": 0.5 }, { "FID": "SF-05C9A247", "Severity": "medium", "Detector": "SF-LAT-003", "DetectorName": "stale_users", "Resource": "TITANBAD_STALE", "Title": "Stale users (no login in 90 days)", "Citation": "CIS Snowflake 1.10; NIST 800-53 AC-2(3)", "Recommendation": "Disable users with no login in 90 days. Service accounts that legitimately do not log in should be tagged so they are not flagged.", "FixApplied": "ALTER USER SET DISABLED = TRUE;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "email": "None", "last_login": "never" }, "Confidence": 0.5 }, { "FID": "SF-722324A5", "Severity": "medium", "Detector": "SF-LAT-003", "DetectorName": "stale_users", "Resource": "TITANBAD_NOMFA1", "Title": "Stale users (no login in 90 days)", "Citation": "CIS Snowflake 1.10; NIST 800-53 AC-2(3)", "Recommendation": "Disable users with no login in 90 days. Service accounts that legitimately do not log in should be tagged so they are not flagged.", "FixApplied": "ALTER USER SET DISABLED = TRUE;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "email": "None", "last_login": "never" }, "Confidence": 0.5 }, { "FID": "SF-15BFB696", "Severity": "high", "Detector": "SF-LAT-006", "DetectorName": "network_policy_missing", "Resource": "account", "Title": "Account-level network policy not configured", "Citation": "HIPAA 164.312(e)(1) Transmission Security; CIS Snowflake 1.13", "Recommendation": "Apply at least one account-level network policy that restricts logins to corporate egress IPs and approved cloud IP ranges.", "FixApplied": "CREATE NETWORK POLICY corp_only ALLOWED_IP_LIST=('1.2.3.4/32', ...); ALTER ACCOUNT SET NETWORK_POLICY = corp_only;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "policies_in_use": "0" }, "Confidence": 0.5 }, { "FID": "SF-C42A3A46", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PATIENT_ID", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-326237BE", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_SSN", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-6BEEAEAD", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.SSN", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-90CA4264", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MEMBER_ID", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-0D89C4E9", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.DOB", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "DATE" }, "Confidence": 0.5 }, { "FID": "SF-1525D3DB", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MRN", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-6C44BD2B", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PHONE", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-BD8BAB49", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_DOB", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "DATE" }, "Confidence": 0.5 }, { "FID": "SF-C0EA84A5", "Severity": "high", "Detector": "SF-LAT-007", "DetectorName": "masking_policy_phi_columns", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.EMAIL", "Title": "Likely-PHI / PII columns without a masking policy", "Citation": "HIPAA 164.502 Uses and Disclosures of PHI; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values. Continuous re-scan flags new columns as schemas evolve.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE MODIFY COLUMN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "data_type": "TEXT" }, "Confidence": 0.5 }, { "FID": "SF-EDB0FC3F", "Severity": "medium", "Detector": "SF-LAT-008", "DetectorName": "row_access_policy_missing", "Resource": "SNOWFLAKE.TRUST_CENTER.ACCOUNT_NOTIFICATION_RECIPIENTS", "Title": "Sensitive tables without a row-access policy", "Citation": "HIPAA 164.312(a)(1); CIS Snowflake 4.6", "Recommendation": "Apply a row-access policy on PHI / patient / member / financial tables so each role sees only its in-scope rows.", "FixApplied": "CREATE ROW ACCESS POLICY tenant_scope AS (tenant STRING) RETURNS BOOLEAN -> tenant = CURRENT_ROLE(); ALTER TABLE ADD ROW ACCESS POLICY tenant_scope ON (tenant_col);", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "Confidence": 0.5 }, { "FID": "SF-56E9FA46", "Severity": "medium", "Detector": "SF-LAT-008", "DetectorName": "row_access_policy_missing", "Resource": "TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT", "Title": "Sensitive tables without a row-access policy", "Citation": "HIPAA 164.312(a)(1); CIS Snowflake 4.6", "Recommendation": "Apply a row-access policy on PHI / patient / member / financial tables so each role sees only its in-scope rows.", "FixApplied": "CREATE ROW ACCESS POLICY tenant_scope AS (tenant STRING) RETURNS BOOLEAN -> tenant = CURRENT_ROLE(); ALTER TABLE ADD ROW ACCESS POLICY tenant_scope ON (tenant_col);", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "Confidence": 0.5 }, { "FID": "SF-78DC5139", "Severity": "medium", "Detector": "SF-LAT-008", "DetectorName": "row_access_policy_missing", "Resource": "SNOWFLAKE.TRUST_CENTER_STATE.ACCOUNT_NOTIFICATION_METADATA", "Title": "Sensitive tables without a row-access policy", "Citation": "HIPAA 164.312(a)(1); CIS Snowflake 4.6", "Recommendation": "Apply a row-access policy on PHI / patient / member / financial tables so each role sees only its in-scope rows.", "FixApplied": "CREATE ROW ACCESS POLICY tenant_scope AS (tenant STRING) RETURNS BOOLEAN -> tenant = CURRENT_ROLE(); ALTER TABLE ADD ROW ACCESS POLICY tenant_scope ON (tenant_col);", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "Confidence": 0.5 }, { "FID": "SF-772DFFA0", "Severity": "medium", "Detector": "SF-LAT-008", "DetectorName": "row_access_policy_missing", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI", "Title": "Sensitive tables without a row-access policy", "Citation": "HIPAA 164.312(a)(1); CIS Snowflake 4.6", "Recommendation": "Apply a row-access policy on PHI / patient / member / financial tables so each role sees only its in-scope rows.", "FixApplied": "CREATE ROW ACCESS POLICY tenant_scope AS (tenant STRING) RETURNS BOOLEAN -> tenant = CURRENT_ROLE(); ALTER TABLE ADD ROW ACCESS POLICY tenant_scope ON (tenant_col);", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "Confidence": 0.5 }, { "FID": "SF-AC760964", "Severity": "medium", "Detector": "SF-LAT-008", "DetectorName": "row_access_policy_missing", "Resource": "SNOWFLAKE.TRUST_CENTER_STATE.ACCOUNT_NOTIFICATION_HISTORY", "Title": "Sensitive tables without a row-access policy", "Citation": "HIPAA 164.312(a)(1); CIS Snowflake 4.6", "Recommendation": "Apply a row-access policy on PHI / patient / member / financial tables so each role sees only its in-scope rows.", "FixApplied": "CREATE ROW ACCESS POLICY tenant_scope AS (tenant STRING) RETURNS BOOLEAN -> tenant = CURRENT_ROLE(); ALTER TABLE ADD ROW ACCESS POLICY tenant_scope ON (tenant_col);", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "Confidence": 0.5 }, { "FID": "SF-0AF03015", "Severity": "high", "Detector": "SF-LAT-015", "DetectorName": "authentication_policy_missing", "Resource": "account", "Title": "Authentication policy not configured at account level", "Citation": "PCI-DSS 8.2; NIST 800-53 IA-2; HIPAA 164.308(a)(5)(ii)(D)", "Recommendation": "Apply an authentication policy at account level that requires MFA, restricts auth methods to PASSWORD+MFA / KEYPAIR / SAML, and disables legacy paths.", "FixApplied": "CREATE AUTHENTICATION POLICY require_mfa ALLOWED_AUTHENTICATION_METHODS=('PASSWORD','KEYPAIR','SAML') MFA_AUTHENTICATION_METHODS=('PASSWORD'); ALTER ACCOUNT SET AUTHENTICATION POLICY require_mfa;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "policies_in_use": "0" }, "Confidence": 0.5 }, { "FID": "SF-580253AF", "Severity": "medium", "Detector": "SF-LAT-016", "DetectorName": "session_policy_missing_or_long", "Resource": "no_session_policy", "Title": "Session policy missing or idle timeout above 60 minutes", "Citation": "PCI-DSS 8.1.8; NIST 800-53 AC-11; HIPAA 164.312(a)(2)(iii)", "Recommendation": "Apply a session policy with idle timeout no greater than 30 minutes (15 for healthcare). PCI requires 15 minutes for cardholder-data environments.", "FixApplied": "CREATE SESSION POLICY tight_idle SESSION_IDLE_TIMEOUT_MINS=15; ALTER ACCOUNT SET SESSION POLICY tight_idle;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "session_idle_timeout_mins": "0" }, "Confidence": 0.5 }, { "FID": "SF-12D3AB6F", "Severity": "medium", "Detector": "SF-LAT-023", "DetectorName": "time_travel_retention_low", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI", "Title": "Sensitive tables with Time Travel retention below 7 days", "Citation": "HIPAA 164.316(b)(2)(i); PCI-DSS 10.5.3; SOC 2 CC7.3", "Recommendation": "Sensitive tables (PHI, transactions, audit logs) should hold at least 7 days of Time Travel for incident reconstruction. Compliance frameworks frequently require longer log retention.", "FixApplied": "ALTER TABLE SET DATA_RETENTION_TIME_IN_DAYS = 30;", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "retention_time": "1" }, "Confidence": 0.5 }, { "FID": "SF-01536296", "Severity": "high", "Detector": "SF-LAT-024", "DetectorName": "tri_secret_secure_disabled", "Resource": "account", "Title": "Customer-managed encryption keys (Tri-Secret Secure) not enabled", "Citation": "HIPAA 164.312(a)(2)(iv); FedRAMP SC-12; PCI-DSS 3.5.2", "Recommendation": "Enable Tri-Secret Secure so encryption requires a customer-controlled KMS key. This is a Business Critical / Enterprise-tier feature; if your account is on a lower tier and you handle PHI / cardholder data, request the upgrade.", "FixApplied": "Contact Snowflake support to enable Tri-Secret Secure on the account; provide your AWS KMS / Azure Key Vault / GCP KMS key reference.", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 75, "RowDetail": { "account": "YU42410", "tri_secret_status": "disabled" }, "Confidence": 0.5 }, { "FID": "SF-FD4CA6BD", "Severity": "medium", "Detector": "SF-LAT-025", "DetectorName": "replication_failover_missing", "Resource": "account", "Title": "No replication or failover groups for HIPAA / PCI workloads", "Citation": "HIPAA 164.308(a)(7) Contingency; PCI-DSS 12.10.1; SOC 2 A1.2", "Recommendation": "Configure at least one failover group covering the regulated databases. RPO and RTO requirements (HIPAA: 24h backup target) are not satisfied by Time Travel alone.", "FixApplied": "CREATE FAILOVER GROUP regulated_data OBJECT_TYPES=(DATABASES, ROLES) ALLOWED_DATABASES=() ALLOWED_ACCOUNTS=() REPLICATION_SCHEDULE='10 MINUTE';", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "failover_groups": "0" }, "Confidence": 0.5 }, { "FID": "SF-AC60A281", "Severity": "medium", "Detector": "SF-LAT-026", "DetectorName": "cortex_ai_phi_egress", "Resource": "TITANADMIN", "Title": "Recent Cortex AI calls invoked from likely-PHI tables", "Citation": "HIPAA 164.502; NIST AI RMF GV-2", "Recommendation": "Cortex AI calls send data to Snowflake's hosted LLM. For PHI workloads, confirm the BAA covers Cortex inference and that PHI is masked or tokenized before the call.", "FixApplied": "Apply masking policy to PHI columns before they can be passed to CORTEX functions; add a row-access policy that hides PHI from the role used by Cortex callers.", "DetectedAt": "2026-04-27T00:48:36+00:00", "Priority": 55, "RowDetail": { "calls": "5", "sample_query": "SELECT\n user_name AS resource,\n COUNT(*) AS calls,\n ANY_VALUE(query_text) AS sample_query\n FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY\n WHERE start_time > DATEADD(hour, -24, CURRENT_TIMESTAMP())\n AND (UPPER(query_text) LIKE '%CORTEX%COMPLETE%'\n OR UPPER(query_text) LIKE '%CORTEX%SUMMARIZE%'\n OR UPPER(query_text) LIKE '%CORTEX%TRANSLATE%'\n OR UPPER(query_text) LIKE '%CORTEX%EXTRACT_ANSWER%')\n AND (UPPER(query_text) LIKE '%PHI%'\n OR UPPER(query_text) LIKE '%PATIENT%'\n OR UPPER(query_text) LIKE '%MEMBER%'\n OR UPPER(query_text) LIKE '%MRN%')\n GROUP BY user_name\n LIMIT 50" }, "Confidence": 0.5 }, { "FID": "SF-035143A9", "Severity": "high", "Detector": "SF-LAT-RT-001", "DetectorName": "users_no_mfa_realtime", "Resource": "SVC_TITANBAD_BROAD", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d); CIS Snowflake 1.4", "Recommendation": "Enrol the user in Duo or Snowflake-managed MFA. Service users must use RSA key-pair auth instead.", "FixApplied": "ALTER USER SVC_TITANBAD_BROAD SET MINS_TO_BYPASS_MFA = 0; -- then enrol in MFA", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "login_name=SVC_TITANBAD_BROAD default_role=PUBLIC", "Confidence": 0.5 }, { "FID": "SF-1AB7DFEF", "Severity": "critical", "Detector": "SF-LAT-RT-001", "DetectorName": "users_no_mfa_realtime", "Resource": "TITANADMIN", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d); CIS Snowflake 1.4", "Recommendation": "Enrol the user in Duo or Snowflake-managed MFA. Service users must use RSA key-pair auth instead.", "FixApplied": "ALTER USER TITANADMIN SET MINS_TO_BYPASS_MFA = 0; -- then enrol in MFA", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 90, "Source": "realtime", "Detail": "login_name=TITANADMIN default_role=ACCOUNTADMIN", "Confidence": 0.5 }, { "FID": "SF-AE0FD726", "Severity": "high", "Detector": "SF-LAT-RT-001", "DetectorName": "users_no_mfa_realtime", "Resource": "TITANBAD_NOMFA1", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d); CIS Snowflake 1.4", "Recommendation": "Enrol the user in Duo or Snowflake-managed MFA. Service users must use RSA key-pair auth instead.", "FixApplied": "ALTER USER TITANBAD_NOMFA1 SET MINS_TO_BYPASS_MFA = 0; -- then enrol in MFA", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "login_name=TITANBAD_NOMFA1 default_role=PUBLIC", "Confidence": 0.5 }, { "FID": "SF-7240BD28", "Severity": "high", "Detector": "SF-LAT-RT-001", "DetectorName": "users_no_mfa_realtime", "Resource": "TITANBAD_NOMFA2", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d); CIS Snowflake 1.4", "Recommendation": "Enrol the user in Duo or Snowflake-managed MFA. Service users must use RSA key-pair auth instead.", "FixApplied": "ALTER USER TITANBAD_NOMFA2 SET MINS_TO_BYPASS_MFA = 0; -- then enrol in MFA", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "login_name=TITANBAD_NOMFA2 default_role=PUBLIC", "Confidence": 0.5 }, { "FID": "SF-A1CE6089", "Severity": "high", "Detector": "SF-LAT-RT-001", "DetectorName": "users_no_mfa_realtime", "Resource": "TITANBAD_STALE", "Title": "Users without MFA enrolled", "Citation": "HIPAA 164.312(d); CIS Snowflake 1.4", "Recommendation": "Enrol the user in Duo or Snowflake-managed MFA. Service users must use RSA key-pair auth instead.", "FixApplied": "ALTER USER TITANBAD_STALE SET MINS_TO_BYPASS_MFA = 0; -- then enrol in MFA", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "login_name=TITANBAD_STALE default_role=PUBLIC", "Confidence": 0.5 }, { "FID": "SF-1E80C553", "Severity": "critical", "Detector": "SF-LAT-RT-002", "DetectorName": "public_role_grants_phi", "Resource": "TITAN_DEMO.PUBLIC_BAD", "Title": "PUBLIC role granted on regulated data object", "Citation": "HIPAA 164.502; PCI-DSS 7.1; CIS Snowflake 2.1", "Recommendation": "Revoke the privilege from PUBLIC. PUBLIC is granted to every role automatically; non-default grants on PUBLIC make data world-readable inside the account.", "FixApplied": "REVOKE USAGE ON SCHEMA TITAN_DEMO.PUBLIC_BAD FROM ROLE PUBLIC;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 90, "Source": "realtime", "Detail": "privilege=USAGE granted_by=ACCOUNTADMIN", "Confidence": 0.5 }, { "FID": "SF-6DECC9B4", "Severity": "critical", "Detector": "SF-LAT-RT-002", "DetectorName": "public_role_grants_phi", "Resource": "TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT", "Title": "PUBLIC role granted on regulated data object", "Citation": "HIPAA 164.502; PCI-DSS 7.1; CIS Snowflake 2.1", "Recommendation": "Revoke the privilege from PUBLIC. PUBLIC is granted to every role automatically; non-default grants on PUBLIC make data world-readable inside the account.", "FixApplied": "REVOKE SELECT ON TABLE TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT FROM ROLE PUBLIC;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 90, "Source": "realtime", "Detail": "privilege=SELECT granted_by=ACCOUNTADMIN", "Confidence": 0.5 }, { "FID": "SF-E3C04A5C", "Severity": "critical", "Detector": "SF-LAT-RT-002", "DetectorName": "public_role_grants_phi", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI", "Title": "PUBLIC role granted on regulated data object", "Citation": "HIPAA 164.502; PCI-DSS 7.1; CIS Snowflake 2.1", "Recommendation": "Revoke the privilege from PUBLIC. PUBLIC is granted to every role automatically; non-default grants on PUBLIC make data world-readable inside the account.", "FixApplied": "REVOKE SELECT ON TABLE TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI FROM ROLE PUBLIC;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 90, "Source": "realtime", "Detail": "privilege=SELECT granted_by=ACCOUNTADMIN", "Confidence": 0.5 }, { "FID": "SF-11E5CD9F", "Severity": "medium", "Detector": "SF-LAT-RT-003", "DetectorName": "role_privilege_explosion_realtime", "Resource": "R_TITANBAD_EXPLOSION", "Title": "Role holds 10 distinct privileges", "Citation": "NIST 800-53 AC-6 Least Privilege; CIS Snowflake 2.5", "Recommendation": "Split this role into purpose-specific sub-roles. A single role with many privileges is hard to audit and tends to accumulate over-grant.", "FixApplied": "Identify each functional purpose; CREATE sub-roles; GRANT specific privileges; over time REVOKE direct grants.", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 55, "Source": "realtime", "Detail": "distinct_privileges=10", "Confidence": 0.5 }, { "FID": "SF-0D571CCF", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.EMAIL", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN EMAIL SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-FA8B1085", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MEMBER_ID", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN MEMBER_ID SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-86C71FA7", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.DOB", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN DOB SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=DATE", "Confidence": 0.5 }, { "FID": "SF-F96D6021", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.SSN", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN SSN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-1D90D5C8", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PHONE", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN PHONE SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-C7F4211A", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_DOB", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN MEMBER_PII_DOB SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=DATE", "Confidence": 0.5 }, { "FID": "SF-419BC036", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.PATIENT_ID", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN PATIENT_ID SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-DE0028EF", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.MEMBER_ACCOUNT.MEMBER_PII_SSN", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN MEMBER_PII_SSN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-94EFEC7D", "Severity": "high", "Detector": "SF-LAT-RT-004", "DetectorName": "phi_column_unmasked", "Resource": "TITAN_DEMO.PUBLIC_BAD.PATIENT_PHI.MRN", "Title": "PHI / PII column without masking policy", "Citation": "HIPAA 164.502; CIS Snowflake 4.5", "Recommendation": "Apply a masking policy on every column whose name suggests PHI / PII so non-clinician roles see hashed or redacted values.", "FixApplied": "CREATE MASKING POLICY phi_redact AS (val STRING) RETURNS STRING -> CASE WHEN IS_ROLE_IN_SESSION('CLINICIAN_RO') THEN val ELSE 'REDACTED' END; ALTER TABLE
MODIFY COLUMN MRN SET MASKING POLICY phi_redact;", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "data_type=TEXT", "Confidence": 0.5 }, { "FID": "SF-854AD08E", "Severity": "high", "Detector": "SF-LAT-RT-005", "DetectorName": "external_stage_unencrypted_realtime", "Resource": "TITAN_DEMO.PUBLIC_BAD.BAD_EXT_STAGE", "Title": "External stage without server-side encryption", "Citation": "HIPAA 164.312(a)(2)(iv); CIS Snowflake 4.2", "Recommendation": "Configure server-side encryption (AWS-KMS or Azure-KV or GCS-CMEK) on every external stage carrying regulated data.", "FixApplied": "CREATE OR REPLACE STAGE TITAN_DEMO.PUBLIC_BAD.BAD_EXT_STAGE URL='s3://titan-demo-fake-bucket/' STORAGE_INTEGRATION= ENCRYPTION=(TYPE='AWS_SSE_KMS' KMS_KEY_ID='');", "DetectedAt": "2026-04-27T00:49:28+00:00", "Priority": 75, "Source": "realtime", "Detail": "url=s3://titan-demo-fake-bucket/", "Confidence": 0.5 } ] }