nerdexam
Snowflake

SOL-C01 · Question #47

A security auditor discovers that multiple users are using the 'ACCOUNTADMIN' role directly for their daily tasks. This violates the principle of least privilege. Which of the following actions should

The correct answer is A. Create custom roles with specific privileges required for their tasks and grant those roles to the B. Implement Multi-Factor Authentication (MFA) for all users with the 'ACCOUNTADMIN' role to. Options A and B address remediation at two levels: A directly enforces least privilege by creating custom roles scoped to specific job functions - the core fix - while B adds a compensating security control (MFA) for users who still retain ACCOUNTADMIN, reducing the blast radius

Snowflake Account and Security

Question

A security auditor discovers that multiple users are using the 'ACCOUNTADMIN' role directly for their daily tasks. This violates the principle of least privilege. Which of the following actions should you take to remediate this situation? (Choose two)

Options

  • ACreate custom roles with specific privileges required for their tasks and grant those roles to the
  • BImplement Multi-Factor Authentication (MFA) for all users with the 'ACCOUNTADMIN' role to
  • CEducate the users about the risks of using the 'ACCOUNTADMIN' role and instruct them to use it
  • DGrant the 'SECURITYADMIN' role to these users instead of `ACCOUNTADMINS.
  • ECreate a view that hides sensitive data and grant 'SELECT' on the view to users. Keep granting

How the community answered

(29 responses)
  • A
    72% (21)
  • C
    3% (1)
  • D
    7% (2)
  • E
    17% (5)

Explanation

Options A and B address remediation at two levels: A directly enforces least privilege by creating custom roles scoped to specific job functions - the core fix - while B adds a compensating security control (MFA) for users who still retain ACCOUNTADMIN, reducing the blast radius if those credentials are compromised during the transition period.

Why the distractors fail:

  • C relies on user behavior, not technical enforcement - education is a supplement, never a remediation control.
  • D substitutes one high-privilege role for another; SECURITYADMIN still has sweeping account-level access and doesn't achieve least privilege.
  • E hides data via a view but does nothing to reduce the users' administrative role - they still hold ACCOUNTADMIN, so the underlying violation is unchanged.

Memory tip: Think of it as a two-step formula - "Shrink the role (A), then shield what's left (B)." In any least-privilege remediation question, the primary fix is always scoping down privileges, and a compensating control (like MFA) buys safety while the transition happens.

Topics

#Least privilege#ACCOUNTADMIN role#Role-based access control#MFA

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice