Snowflake® provides a data warehouse in the Cloud. Snowflake supports sharing data by using a share. Lacework supports accessing data from a Snowflake share that is defined by a secure view. This feature is beta in this release. Your Snowflake data is the Snowflake Provider and Lacework is the Snowflake Consumer.
In this release, Lacework supports only using the share to access AWS CloudTrail event data.
CloudTrail event data can be ingested from a Snowflake share into Lacework as shown in the following figure. The setup instructions for this configuration are described below.
For more information about ingesting CloudTrail event data into Snowflake, see aws_cloudtrail.py which is provided by Snowflake.
Note that CloudTrail event data can also be ingested directly into Lacework as described in Initial Setup of AWS Integration as shown in the following figure. Lacework recommends configuring only one of these integrations because configuring both can result in duplicate data being ingested into Lacework.
To set up the Snowflake integration:
- Contact Snowflake for assistance with configuring the Snowflake share that contains the AWS CloudTrail event data. Before creating the Lacework integration, verify the Snowflake share meets the following prerequisites:
- The share must exist before you can create the Lacework Integration with Snowflake.
- The share contains all the AWS CloudTrail data you want Lacework to evaluate.
- The share contains the AWS CloudTrail data for all the AWS accounts you want Lacework to evaluate.
- Lacework must be given access to the Snowflake share that contains your CloudTrail events. You are prompted to supply this information when creating the Lacework integration. Gather the following information about the Snowflake share. Specify only values with alphanumeric and the underscore (_) characters.
- Provider Account - Specify the name of the Snowflake account that is exporting a share to Lacework.
- Share Name - Specify the name of the exported Snowflake share in the provider's account. Note that the total character length of the provider account combined with the share name must be 240 characters or less.
- Schema Name - Specify the name of the schema in the Snowflake share that contains the view which contains the CloudTrail events.
- View Name - Specify the name of the Snowflake view that contains the CloudTrail events.
- Log in to the Lacework Console.
- Navigate to Settings > Snowflake Data Share.
- Click + Create New.
- Specify the values for the fields listed in the preceding steps.
- Click Save. In Snowflake Data Share, a new integration displays.
- When the integration is complete and successful, the status changes to Integration Successful.
Note that the Snowflake CloudTrail integration does not support populating the AWS account alias and the Lacework Console does not display a value for the account alias. For example, the Account Alias column is empty in the CloudTrail Logs table generated from the Snowflake integration in the Lacework Console.