Key Takeaways:
- Snowflake's Cortex AI Search Service runs queries using the service owner's privileges by default, not the calling user's. This "owners' rights" behavior can allow lower-privileged users to bypass dynamic masking policies and access sensitive data like PII or financial details in plaintext.
- The root cause is a privilege escalation gap. When a Cortex Search Service is created under a highly privileged role (e.g., ACCOUNTADMIN), any user granted USAGE on that service inherits those elevated privileges, effectively sidestepping access controls.
- Organizations using Cortex should immediately audit their deployments. Cortex Search Services should be created using dedicated, minimally privileged roles, and sensitive columns or tables with masking policies should not be included in general-purpose search indexes.
- Snowflake has acknowledged the issue and is working on fixes. Updated documentation now clarifies the owners' rights behavior, and enhancements for caller's rights execution contexts and administrator warnings are in progress.
- AI-driven services can introduce security risks that aren't obvious from their default configurations. Deploying tools like Cortex Search requires careful attention to the principle of least privilege to prevent unintended data exposure.
A recent analysis by Cyera uncovered unexpected behavior within Snowflake’s Cortex AI Search Service, a powerful tool for AI-driven search and retrieval. Despite access controls and dynamic masking policies, Cortex AI’s default configuration runs queries using the privileges of the service owner (owners' rights), rather than those of the actual user (callers' rights). This behavior may inadvertently allow users with lower privileges to access sensitive data that should have remained masked or restricted.
Technical Impact
Snowflake’s dynamic masking policies typically ensure that sensitive data is only visible to users with explicit permissions. However, when the Cortex Search Service is created under a highly privileged role (e.g., ACCOUNTADMIN), any user granted "USAGE" on that service inherits these elevated privileges. This can inadvertently bypass intended security restrictions, exposing sensitive information such as Personally Identifiable Information (PII) or financial details in plaintext, despite masking rules.
Recommended Actions
- Deploy Cortex with Least Privileges: Create Cortex Search Services using a dedicated, minimally privileged role that has only essential access.
- Isolate Sensitive Tables: Do not include sensitive columns or tables with dynamic masking or compliance requirements in general-purpose Cortex Search indexes.
- Manage USAGE Grants Carefully: Be cautious granting USAGE permissions on Cortex services, as any user granted access inherits the service’s privileges.
- Audit Regularly: Regularly review and verify roles used to create Cortex services. Rebuild or revoke access as necessary if services were created under overly privileged roles.
Vendor Response
Snowflake has acknowledged the issue, updated their documentation to clarify Cortex’s use of owners' rights, and is actively working on enhancements to provide options for caller’s rights execution contexts and clearer administrator warnings.
Conclusion
AI-driven services such as Cortex Search can greatly enhance productivity but must be deployed with careful consideration of security best practices, specifically the principle of least privilege. Organizations leveraging Cortex AI should immediately review their deployment and access configurations to prevent unintended sensitive data exposure.
