nerdexam
Snowflake

SOL-C01 · Question #94

A team is developing a data pipeline to load data from various sources into Snowflake. They are using external stages pointing to AWS S3 buckets and want to ensure maximum security and isolation betwe

The correct answer is B. Use separate IAM roles for each pipeline, granting each role only the necessary permissions to D. Create separate external stages for each pipeline, each pointing to its specific S3 bucket and. B and D are correct because they implement the principle of least privilege and isolation: separate IAM roles (B) ensure each pipeline only accesses what it needs in S3, and separate external stages (D) create distinct access boundaries within Snowflake, preventing one pipeline f

Snowflake Account and Security

Question

A team is developing a data pipeline to load data from various sources into Snowflake. They are using external stages pointing to AWS S3 buckets and want to ensure maximum security and isolation between different pipelines accessing these stages. Which of the following security measures should they implement? (Choose TWO)

Options

  • AGrant the 'ACCOUNTADMIN' role to all users who need to access the stages.
  • BUse separate IAM roles for each pipeline, granting each role only the necessary permissions to
  • CStore all data files in a single S3 bucket and grant a single IAM role access to the entire bucket.
  • DCreate separate external stages for each pipeline, each pointing to its specific S3 bucket and
  • EDisable network policies on the Snowflake account to allow access from any IP address.

How the community answered

(29 responses)
  • A
    14% (4)
  • B
    76% (22)
  • C
    7% (2)
  • E
    3% (1)

Explanation

B and D are correct because they implement the principle of least privilege and isolation: separate IAM roles (B) ensure each pipeline only accesses what it needs in S3, and separate external stages (D) create distinct access boundaries within Snowflake, preventing one pipeline from accidentally or maliciously touching another's data.

Why the distractors fail:

  • A is wrong because ACCOUNTADMIN is the most powerful role in Snowflake - granting it broadly is a security anti-pattern that violates least privilege.
  • C is wrong because a single bucket with a single IAM role collapses all isolation, meaning a compromise or misconfiguration in one pipeline exposes all data.
  • E is wrong because disabling network policies eliminates a critical defense layer, exposing Snowflake to access from any IP globally.

Memory tip: Think "one pipeline, one role, one stage" - isolation lives at every layer (IAM in AWS, stage in Snowflake). Any answer that consolidates access or expands permissions beyond what's needed is a trap.

Topics

#External Stages#IAM Roles#S3 Integration#Access Control

Community Discussion

No community discussion yet for this question.

Full SOL-C01 Practice