Encryption, Alerts, and Notifications

Snowflake Management, Governance & Collaboration

Emily Melhuish

Technical Curriculum Developer, Snowflake

Three Layers of Protection

Three-layer diagram showing encryption at the top, alerts in the middle, and notifications at the bottom

Encryption at Rest and In-Transit

	At Rest	In Transit
Standard	AES-256	TLS 1.2 or higher
Key rotation	Automatic	N/A
Scope	Stored data	Client and internal traffic

Key Management Options

Encryption model	Description
Snowflake-managed keys	Default. Snowflake manages encryption keys on your behalf. Sufficient for most organizations.
Customer-managed keys (Tri-Secret Secure)	For organizations with sensitive data. Customer holds the master encryption key through AWS KMS, Azure Key Vault, or GCP KMS.

Tri-Secret Secure

Requires three things simultaneously to decrypt data
Snowflake's key + customer's KMS key + successful user authentication
If the customer revokes their key, Snowflake itself cannot access the data
Available on Business Critical edition and above

Three keys

What is a Snowflake Alert?

Evaluates a SQL condition and fires an action when it's true
Scheduled: runs on a CRON or minute/hour interval
Event-driven: fires when new data arrives in a stream
When the condition is true, the alert executes an action: typically a notification

¹ https://docs.snowflake.com/en/user-guide/alerts

Alert Structure in SQL

CREATE ALERT claro_failed_login_alert
  WAREHOUSE = claro_wh
  SCHEDULE = '60 MINUTE'
  IF (EXISTS (
    SELECT 1
    FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
    WHERE error_code IS NOT NULL
      AND event_timestamp >= DATEADD('hour', -1, CURRENT_TIMESTAMP())
  ))
  THEN CALL SYSTEM$SEND_SNOWFLAKE_NOTIFICATION(...);

Notification Integrations

Notifications

Let's practice!

Snowflake Management, Governance & Collaboration