DEA-C02 Question #119: Real Exam Question with Answer & Explanation

Question

To meet governance requirements, a company needs to completely isolate its production environment from its development and testing environments. The solution must prevent zero- copy cloning from occurring. How can these requirements be met?

Options

• ACreate one account and ensure that strict process controls are in place including a strict Role-
• BCreate one account that includes one database for each business function. Within the database,
• CCreate one account that separates the production, development, and testing environments by
• DCreate three separate accounts, one each for the production, development, and testing

Explanation

Separate Snowflake accounts is the only architecture that achieves true isolation because accounts are the fundamental security boundary in Snowflake - data, compute, users, and roles cannot cross account lines, and zero-copy cloning is restricted to objects within the same account.

• Option A fails because process controls and RBAC within a single account cannot prevent zero-copy cloning - a privileged user could still clone production objects to dev/test schemas.
• Option B fails for the same reason: separate databases within one account don't block cloning; CREATE TABLE dev_db.schema.t CLONE prod_db.schema.t still works across databases in the same account.
• Option C fails because using schemas or virtual warehouses to "separate" environments within a single account provides logical separation only - zero-copy cloning across schemas remains possible.

Memory tip: Think of Snowflake accounts like separate countries with passport control - you simply cannot clone data across borders. Databases, schemas, and roles are like rooms in the same house - convenient, but no real wall stops someone with a key from moving things around.

No community discussion yet for this question.