Free Practice Questions for Snowflake Certification

● Configure and implement Role-Based Access Control (RBAC): ○ Automate RBAC management programmatically ○ Integrate RBAC management with IdPs using SCIM (user group membership) ○ Manage hierarchical RBAC models ● Define and manage custom roles and least-privilege role hierarchies: ○ Understand best practices for role design (functional vs. access roles): ■ System-defined roles ■ SNOWFLAKE database roles ■ SNOWFLAKE application roles ■ User-defined custom roles (account, database, and application) ○ Manage privilege grants in Snowflake

● Implement authenticators, passkeys, and IdP-driven access ● Define, configure, and enforce Multi-Factor Authentication (MFA): ○ Snowflake-managed MFA ○ Externally-managed MFA ● Implement Single-Sign-On (SSO): ○ Configure SAML, and OAuth authentication ○ Troubleshoot SSO integration issues ● Manage secure programmatic access: ○ Implement key-pair authentication ○ Implement Programmatic Access Token (PAT) authentication ○ Implement external API authentication and secrets ● Rotate user credentials ● Configure and monitor session policies ● Design and manage leaked password and malicious IP protections

● Create, implement, and manage network and rules policies: ○ Use network rules for granular access control ○ Rules policies: IP allow lists and deny lists ○ Apply network policies to accounts and users ● Configure and troubleshoot private connectivity and storage integrations: ○ AWS PrivateLink, Azure Private Link, and GCP Private Service Connect ○ Troubleshoot private connectivity issues ● Support multi-cloud network policy enforcement

● Create, implement and manage external access integrations: ○ Use network rules to manage allowed external endpoints ○ Leverage API authentication integrations ○ Establish the order of operations: ■ Perform third-party vendor risk assessment ● Leverage Snowflake secrets for secure authentication with external endpoints: ○ OAuth ○ Cloud provider tokens ○ Passwords ○ Generic strings ● Understand best practice recommendations for secure connectivity from Snowflake to external systems: ○ Egress proxy configurations ○ Configure external functions

● Implement, configure, and manage the customer-managed key component of Tri-Secret Secure ● Implement column-level security ○ Design and apply Dynamic Data Masking policies ○ Create masking policies with SQL expressions and Snowflake functions ○ Manage the masking policy lifecycle: ■ Monitor the impact of policy changes on data visibility ● Use the External Tokenization function ● Use tag-based masking policies ● Use projection policies ● Implement row-access policies: ○ Design and apply row-access policies with SQL expressions and Snowflake functions ○ Understand policy precedence and interactions ○ Manage the row access policy lifecycle: ■ Troubleshoot row access policy enforcement ● Utilize aggregation policies, differential privacy policies, and budgets

● Apply advanced privacy controls for shared data: ○ Use synthetic data to support privacy ● Configure and manage Snowflake Data Clean Rooms: ○ Apply the principles of secure multi-party computation ○ Support collaborative analysis without direct data exposure ○ Understand the security implications of using secure objects, including views, functions, and procedures ● Configure Data Listings

● Leverage account-level parameters to restrict the destinations where Snowflake can write data programmatically ● Leverage account-level and user-level parameters to restrict when users can download query result sets

● Implement Time Travel and Fail-safe for data recovery: ○ Manage Time Travel settings at the table, schema, and account levels ○ Understand the differences and use cases for Time Travel and Fail-safe ○ Differentiate between Time Travel and Fail-safe in context of security and compliance ● Configure and enforce data retention policies ● Define appropriate retention strategies for structured and semi-structured data: ○ Align retention policies with compliance requirements (for example, GDPR and HIPAA) ○ Apply retention settings using DDL and governance tools (for example, tagging and policies) ● Manage the data lifecycle using object lifecycle management features: ○ Automate data archival and purging using lifecycle management best practices ○ Use table metadata and access patterns to determine data aging strategies ○ Leverage features including transient tables, temporary tables, and auto-drop configurations

● Use automatic tag propagation, including tag inheritance: o Audit tagging using the TAG_REFERENCES and TAG_REFERENCES_HISTORY views o Visualize data lineage ● Implement data classification: o Configure automatic, custom, and manual classifications o Integrate data classification into data governance policies

● Manage data replication access control and privileges: o Implement the principle of least privilege for replication-specific roles o Manage and audit privileges such as CREATE REPLICATION GROUP and REPLICATE ● Define and secure ownership of replication and failover group objects ● Manage replication protocols and policies o Configure replication groups to include critical security objects o Replicate network policies to maintain consistent access controls ● Manage the replication of security integrations (SAML2, OAuth, SCIM) to ensure seamless authentication and authorization post-failover ● Validate the replication of users, roles, and grants

● Audit pre-failover readiness: o Conduct periodic audits of replication configurations o Perform controlled tests of the failover process to validate security object promotion and functionality ● Configure Client Redirect ● Execute replication and failover operations: o Monitor audit logs for anomalies during the transition process o Re-establish security configurations for external resources, for example trust relationships for external stages ● Perform a post-failover validation audit: o Verify that replicated network policies and security integrations are active and enforced on the new primary account. o Audit user roles and permissions o Validate the secure client redirection configurations

● Analyze the QUERY_HISTORY and ACCESS_HISTORY views to identify suspicious query patterns and unauthorized data access ● Monitor data access and data transfer history: ○ Monitor the ACCOUNT_USAGE views for information on alert thresholds, correlating events, and incident responses: ■ Use Snowflake Trail observability features ■ Map evidence to security frameworks (such as GDPR, HIPAA, etc.) ■ Manage interfaces for auditors ● Integrate external monitoring and observability tools with Snowflake ● Trace data access within AI/ML workloads running on Snowpark Container Services ● Track changes of the use of secure objects (for example, views, functions, and procedures) ● Monitor login history for authentication anomalies, including brute-force attacks and unauthorized access attempts manually, or using Trust Center and external tools ● Set up automated alerts and notifications for security events: ○ Configure email or external integrations for security alerts using tasks and streams

● Compare and contrast the benefits and consequences of enabling or disabling Snowflake security services and features: ○ Security-related implications ○ Credit consumption considerations ○ Operational-overhead implications ○ Cloud provider implications ● Monitor anomalous credit consumption as a critical security signal: ○ Changes in serverless compute consumption ○ Credit consumption of advanced features, for example AI, Snowpark and Container Services

● Outline how Snowflake's security and governance features support regulatory compliance: o Explain how encryption, access controls, masking, and auditing support regulatory requirements (for example, GDPR, HIPAA, CCPA, and PCI DSS) ● Define, enable, and automate audit policies to support compliance reporting ● Use Snowflake Trust Center resources to support compliance and security: o Snowflake Compliance Center o Security certifications o Compliance reports

● Identify and catalog critical assets within Snowflake ● Identify and document data entry and exit points ● Apply threat modeling methodologies to identify potential threats specific to Snowflake: ○ Data sharing configurations ○ Over-privileged roles and users ○ Compromised service account credentials ○ Vulnerabilities in 3rd-party connections and packages ● Implement mitigation strategies

● Use Snowflake Horizon Catalog to enable security best practices and compliance ● Assess the security of data sharing agreements and configurations with external partners ● Analyze vulnerabilities to determine the likelihood and potential impact ● Develop, implement, and monitor risk mitigation strategies

● Configure and test security alerting mechanisms within Snowflake and integrated SIEM platforms ● Identify, triage, and contain security incidents: ○ Monitor Snowflake logs ○ Investigate alerts from security tools ○ Triage incoming alerts ○ Isolate affected user accounts ○ Revoke compromised credentials or API keys ○ Implement new or update existing network policies ○ Suspend data sharing or integration ● Manage eradication and recovery: ○ Identify the root cause of the incident ○ Remove any malicious access or persisting mechanisms ○ Restore data from backups, Time Travel, or Fail-safe

● Collect and preserve relevant logs and data: ○ ACCOUNT_USAGE views ○ Use Time Travel and Fail-safe to access historical states of data ○ Establish a chain of custody for evidence ● Perform a forensic analysis: ○ Analyze query logs (query_history) to identify what actions were performed ○ Review access logs (access_history) to determine which tables, views, and columns were read or modified ○ Examine login history (login_history) to trace the source IP, client application, and authentication methods used ○ Correlate Snowflake data with logs from other systems (for example, identity provider, network devices) to build an incident timeline

● Design and deploy containerized services using Snowpark Container Services ● Understand the security model of compute pools (for example, isolation and network rules for inbound/outbound data) ● Manage secrets and EXTERNAL_ACCESS_INTEGRATIONS for controlled external network access from services ● Understand the lifecycle management of services and their security implications ● Implement secure data access patterns for services running in Snowpark Container Services: o Establish roles and permissions to ensure services access Snowflake data securely o Manage sensitive configurations within service specifications (YAML) ● Monitor and troubleshoot security issues within Snowpark Container Services deployments: o Use the SERVICE_USAGE_HISTORY and compute pool monitoring views o Monitor container logs

● Implement content moderation and safety using Cortex Large Language Model (LLM) functions: o Configure COMPLETE() and TRY_COMPLETE() functions to filter content o Use filtered responses (for example, NULL from TRY_COMPLETE()) ● Use Cortex functions to classify data and detect anomalies: o Apply CLASSIFY_TEXT() to identify and tag sensitive data categories ● Use Cortex AI for data security: o Apply AI Observability features for Gen AI application security o Use LLM-as-a-Judge to evaluate AI application responses for bias, toxicity, and accuracy (relevant to data security and responsible AI) o Interpret traces to debug and audit the flow of sensitive data through Gen AI applications o Monitor AI application performance metrics related to security and data quality ● Use Cortex Analyst to support secure data exploration: o Securely configure semantic models o Access Cortex Analyst request logs to audit natural language queries and generated SQL ● Configured Cortex Agents to automate security and governance workflows: o Manage Agent orchestration and tool usage o Use Copilot for Snowflake Horizon Catalog to analyze and audit security

● Design and enforce security policies for Native Apps: ○ Secure, package, and share Native Apps ○ Use Streamlit in Snowflake application role ownership parameters ○ Use OAuth to authenticate app users ○ Implications of running Native Apps in Snowpark Container Services ○ Implement User-Based Access Control (UBAC) features with Native Apps ● Manage permissions for app installation and usage ● Secure application code and its dependencies: ○ App internal code ○ Third-party packages and libraries ○ App secrets and credentials