❄️
Data Flakes
Back
2 min
security /
s3 /
azure /
administration

Securing External Stages

Hardening your data ingestion pathways: Storage Integrations, Private Link, and IAM best practices.
views | comments

External stages (S3, Azure Blob, GCS) are the most common way data enters Snowflake. However, they are also a common attack vector if misconfigured. Hardcoding AWS Access Keys into stage definitions is a practice from 2018—in 2025, we have better tools.

1. Storage Integrations are Mandatory

Never use credentials (AWS_KEY_ID, AWS_SECRET_KEY) in a CREATE STAGE command. Instead, use a Storage Integration. This object establishes a trust relationship between Snowflake and your Cloud Provider (using IAM Roles in AWS or Service Principals in Azure).

CREATE STORAGE INTEGRATION s3_int
  TYPE = EXTERNAL_STAGE
  STORAGE_PROVIDER = 'S3'
  ENABLED = TRUE
  STORAGE_AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/my-snowflake-role'
  STORAGE_ALLOWED_LOCATIONS = ('s3://my-bucket/data/');
sql

This ensures that:

  1. Credentials are not exposed in DDL.
  2. You can rotate keys/roles on the cloud side without breaking Snowflake objects.
  3. You can strictly limit which buckets Snowflake can access.

If you are on an Enterprise edition or higher, use Private Link (AWS) or Private Endpoints (Azure). This ensures that traffic between your VPC/VNet and Snowflake never traverses the public internet. It significantly reduces the surface area for man-in-the-middle attacks.

3. Encryption

Ensure your external buckets have Server-Side Encryption (SSE) enabled. Snowflake handles the decryption transparently using the permissions granted to the integration.

4. Directory Tables for Observability

Turn on highly convenient Directory Tables on your stages.

CREATE STAGE my_stage
  URL='s3://bucket/path'
  STORAGE_INTEGRATION = s3_int
  DIRECTORY = (ENABLE = TRUE);
sql

This allows you to query the stage contents (SELECT * FROM DIRECTORY(@my_stage)) to audit what files are present, their sizes, and last modified timestamps effectively.

5. Least Privilege

When configuring the Cloud IAM Role:

  • Grant GetObject only for loading.
  • Grant PutObject only for unloading.
  • Restrict the Resource scope to specific prefixes, not the whole bucket.

Conclusion

Securing your connection to the outside world is step one in a robust security posture. By forcing the use of Storage Integrations and implementing Private Connectivity, you close the biggest doors to potential data exfiltration.

Zero-Copy Cloning for Dev/Test

Cross-Cloud Replication Strategies

Disclaimer

The information provided on this website is for general informational purposes only. While we strive to keep the information up to date and correct, there may be instances where information is outdated or links are no longer valid. We make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.