Try 10 focused SnowPro Core COF-C02 questions on Security and Governance, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try SnowPro Core COF-C02 on Web View full SnowPro Core COF-C02 practice page
| Field | Detail |
|---|---|
| Exam route | SnowPro Core COF-C02 |
| Topic area | Account Setup, Security, and Governance |
| Blueprint weight | 20% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Account Setup, Security, and Governance for SnowPro Core COF-C02. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 20% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Account Setup, Security, and Governance
A Snowflake administrator is designing role-based access for a new analytics environment. They want to follow least-privilege and keep governance simple. Which TWO planned grants represent poor use of Snowflake privileges and SHOULD BE AVOIDED? (Select TWO.)
Options:
A. Granting the BI_REPORTER role USAGE on the SALES database and REPORTING schema, and SELECT on a limited set of reporting views in that schema.
B. Granting the BUSINESS_ANALYST role OWNERSHIP on the entire SALES database so analysts can manage all tables and views themselves.
C. Granting the ETL_LOADER role USAGE on the STAGE schema and INSERT on specific staging tables used for batch loads.
D. Granting a custom APP_PROD role USAGE and SELECT on production tables, and also granting OWNERSHIP on those same tables to simplify permission management.
E. Granting a DATA_ENGINEER_DEV role OWNERSHIP on a dedicated development schema where they create and manage their own objects, while keeping production schemas restricted.
Correct answers: B and D
Explanation: In Snowflake, privileges such as USAGE, SELECT, INSERT, and especially OWNERSHIP control how roles interact with objects. Good governance applies the principle of least privilege: a role should have only the specific permissions it needs on the smallest appropriate scope (particular databases, schemas, or objects).
USAGE lets a role see and reference a database, schema, or warehouse, but not read or modify data. SELECT lets a role query data in tables or views. INSERT allows adding rows to tables without necessarily allowing reads. OWNERSHIP is the most powerful privilege: the owner can modify and drop the object and grant or revoke all other privileges on it.
Because OWNERSHIP implies full control, it should be carefully restricted to administrative or clearly accountable owner roles, typically at limited scope (for example, a specific schema). Granting OWNERSHIP broadly on production databases or tables to general analyst or application roles is a clear anti-pattern and creates governance and security risk.
Topic: Account Setup, Security, and Governance
Which TWO of the following statements about a Snowflake organization are NOT correct? (Select TWO.)
Options:
A. Organizations enable consolidated governance tasks, such as viewing usage and costs across accounts from a central administrative context.
B. A single Snowflake account can be a member of multiple organizations at the same time to support multiple billing models.
C. Each Snowflake account belongs to exactly one organization.
D. By default, all data in accounts within the same organization is automatically visible and readable by every other account in that organization.
E. A Snowflake organization is a logical container that groups multiple accounts under a single administrative and billing boundary.
Correct answers: B and D
Explanation: A Snowflake organization is a top-level logical construct above individual accounts. It primarily exists to group multiple accounts under a single administrative, governance, and billing boundary. Organizations allow centralized visibility into usage and spending across their accounts, while each account still maintains its own data, security, and RBAC controls.
An individual Snowflake account is created within a single organization and remains associated with that organization. Being in the same organization does not change how data security works between accounts; data sharing still requires explicit configurations such as shares and appropriate privileges.
Topic: Account Setup, Security, and Governance
A company wants to improve sign-in convenience and security for 800 Snowflake users by eliminating separate Snowflake passwords and relying on existing corporate MFA policies managed by its identity provider. Which authentication approach is most appropriate?
Options:
A. Require all users to authenticate with Snowflake-native usernames and strong, frequently rotated passwords
B. Configure key-pair authentication for each user and distribute private keys using an internal ticketing process
C. Enable MFA directly in Snowflake for all users while they continue to log in with Snowflake usernames and passwords
D. Configure Snowflake to use single sign-on (SSO) with the corporate identity provider so users authenticate with their existing corporate accounts
Best answer: D
Explanation: The scenario emphasizes a single deciding factor: improving both convenience and security by eliminating separate Snowflake passwords and reusing existing corporate MFA policies managed by the organization’s identity provider. This is precisely the benefit of configuring Snowflake for single sign-on (SSO).
With SSO, Snowflake delegates authentication to an external identity provider. Users sign in with their existing corporate credentials and any MFA configured there. Snowflake no longer needs to store or manage separate passwords, which reduces helpdesk password-reset tickets and centralizes access control and MFA policies in one place.
Approaches that rely on Snowflake-native usernames/passwords or per-user key-pairs may improve security in some ways, but they do not deliver the combination of centralized identity governance and simplified user experience described in the requirement.
Topic: Account Setup, Security, and Governance
A company’s analysts connect to the Snowflake AI Data Cloud from laptops over both corporate and public networks. The security team wants to ensure that usernames, passwords, session tokens, queries, and query results cannot be viewed or modified by anyone who might intercept network traffic. They also have a policy that all SaaS services must encrypt data in transit between clients and the service. Which statement BEST explains why Snowflake requires TLS-encrypted connections for client access?
Options:
A. TLS is required mainly so Snowflake can compress queries and results more efficiently, reducing network bandwidth usage and improving performance.
B. TLS is necessary only when data is written to Snowflake storage so that micro-partitions are encrypted at rest inside the Snowflake service.
C. TLS encrypts all traffic between clients and Snowflake so credentials, queries, and results are protected from eavesdropping or tampering while in transit across untrusted networks.
D. TLS ensures that only virtual warehouses in the same cloud region as the client can be used, preventing cross-region latency issues during query execution.
Best answer: C
Explanation: Snowflake requires TLS-encrypted connections to ensure that data moving between clients and the Snowflake AI Data Cloud is protected. When users connect from laptops, especially over public or otherwise untrusted networks, the traffic can potentially be intercepted. TLS establishes an encrypted channel so that sensitive information such as login credentials, session tokens, SQL text, and query results cannot be read or modified by an attacker on the network.
TLS also helps protect integrity by detecting tampering: if an attacker tries a man-in-the-middle attack to alter queries or results, the TLS protocol will cause the connection to fail rather than silently accept manipulated data. This is why TLS is a fundamental control for “encryption in transit” and a key part of Snowflake’s security model for client connections.
Encryption at rest, warehouse configuration, or performance optimizations are separate concerns. Even if data is fully encrypted inside Snowflake, it could still be exposed in transit without TLS. Therefore, Snowflake requires TLS so that organizations can confidently meet policies requiring protection of data in transit to and from SaaS platforms.
Topic: Account Setup, Security, and Governance
Your team is deciding which system role should be used for day-to-day creation of users and management of masking policies. Review the excerpt from SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES:
| role | privilege | object_type | object_name |
|---|---|---|---|
| SECURITYADMIN | CREATE USER | ACCOUNT | |
| SECURITYADMIN | CREATE ROLE | ACCOUNT | |
| SECURITYADMIN | APPLY MASKING POLICY | ACCOUNT | |
| SYSADMIN | CREATE WAREHOUSE | ACCOUNT | |
| SYSADMIN | MODIFY WAREHOUSE | ACCOUNT |
Based on the exhibit, which role is the most appropriate choice for these user and security policy tasks?
Options:
A. Use the SYSADMIN role to manage users and masking policies because it already manages warehouses.
B. Use the SECURITYADMIN role to create users, manage roles, and apply masking policies.
C. Use the PUBLIC role so all users can grant and revoke roles and apply masking policies without needing elevation.
D. Use the ACCOUNTADMIN role for all user onboarding and masking, and reserve SECURITYADMIN for managing warehouses.
Best answer: B
Explanation: The exhibit shows how different system roles in the Snowflake AI Data Cloud are granted specific account-level privileges. The SECURITYADMIN role has CREATE USER, CREATE ROLE, and APPLY MASKING POLICY on the account, which are classic security administration capabilities. These privileges directly support managing identities (users), access control structure (roles), and security policies (masking policies).
In contrast, the SYSADMIN role in the exhibit holds CREATE WAREHOUSE and MODIFY WAREHOUSE privileges, which are focused on compute and object administration rather than identity or security policy management. This separation of duties is a key principle of Snowflake’s RBAC model: SECURITYADMIN is responsible for security-related tasks, while SYSADMIN manages data and compute objects.
Therefore, for day-to-day user onboarding (creating users and roles) and applying column-level masking policies, SECURITYADMIN is the most appropriate and least-privileged role that matches the requirements shown in the exhibit.
Topic: Account Setup, Security, and Governance
Which statement correctly compares key pair authentication with password-based authentication in Snowflake in terms of security and manageability?
Options:
A. Key pair authentication provides stronger protection against password theft and phishing but requires users to securely manage their private keys and client configuration.
B. Key pair authentication is less secure because Snowflake stores the private key in the user profile, while passwords are never stored in the account.
C. Both key pair and password-based authentication provide identical security; the choice mainly affects query performance, not authentication risk or manageability.
D. Password-based authentication is more secure because it always requires MFA, whereas key pair authentication cannot be combined with MFA.
Best answer: A
Explanation: In Snowflake, password-based authentication relies on users entering a secret that is stored (as a hash) and validated by Snowflake. This model is familiar and easy to roll out, but it is vulnerable to common password issues such as reuse, weak passwords, and phishing. Key pair authentication instead uses an asymmetric key pair, where only the public key is registered in Snowflake and the private key remains on the client, never transmitted to Snowflake.
Because the private key does not leave the client and is not typed by the user, key pair authentication greatly reduces exposure to password theft and phishing. However, it introduces manageability responsibilities: users or administrators must generate, store, protect, back up, and rotate private keys, and configure clients (such as drivers or SnowSQL) to use them. This trade-off—stronger credential security but higher management overhead—best describes the difference between these two methods in Snowflake.
Topic: Account Setup, Security, and Governance
Which TWO of the following statements about the Snowflake ACCOUNTADMIN system role are INCORRECT and represent practices you SHOULD AVOID? (Select TWO.)
Options:
A. Most Snowflake users who run queries and build dashboards should be assigned the ACCOUNTADMIN role so they can work without permission issues.
B. The ACCOUNTADMIN role is responsible for managing all accounts in an organization, including creating and dropping Snowflake accounts across the organization.
C. ACCOUNTADMIN can view and analyze account usage and billing information exposed through Snowflake’s shared system data, so it should be held by people responsible for cost governance.
D. It is a best practice to perform day-to-day development, ETL, and analytic work with lower-privilege roles and only elevate to ACCOUNTADMIN when a task explicitly requires it.
E. The ACCOUNTADMIN role has broad privileges across a single Snowflake account, including managing virtual warehouses, databases, and many account-level settings.
Correct answers: A and B
Explanation: ACCOUNTADMIN is the most powerful system-defined role within a single Snowflake account. It inherits privileges from both SYSADMIN and SECURITYADMIN, can manage many account-level parameters, and has access to usage and billing information. Because of this broad power, its use should be restricted to a small number of trusted administrators.
Everyday work such as writing queries, developing ETL/ELT pipelines, or building dashboards should be done with lower-privilege roles (for example, custom roles that inherit from SYSADMIN or other purpose-specific roles). When a specific administrative task truly requires ACCOUNTADMIN (such as certain account-parameter changes or cost-governance activities), an authorized user can temporarily assume that role and then revert to their normal role afterward.
Organization-level management, such as creating and dropping Snowflake accounts within an organization, is handled by the ORGADMIN role, which is separate from ACCOUNTADMIN and operates at a higher scope than a single account.
Topic: Account Setup, Security, and Governance
A security engineer reviews current privileges on the ANALYTICS.SALES table. Only role ANALYST should be able to query this table. Use the exhibit to determine the most appropriate next step.
Exhibit – filtered view of SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES:
| ROLE | PRIVILEGE | GRANTED_ON | NAME |
|---|---|---|---|
| ANALYST | SELECT | TABLE | SALES |
| REPORTING | SELECT | TABLE | SALES |
| PUBLIC | USAGE | DATABASE | ANALYTICS |
Options:
A. Grant SELECT on table SALES to role ANALYST.
B. Revoke USAGE on database ANALYTICS from role PUBLIC.
C. Revoke SELECT on table SALES from role REPORTING.
D. Grant SELECT on table SALES to role PUBLIC and revoke it from ANALYST.
Best answer: C
Explanation: In Snowflake, privileges are managed using GRANT and REVOKE statements on objects such as databases, schemas, tables, and views. The exhibit shows current grants in SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES for the SALES table.
The requirement is that only the ANALYST role should be able to query the SALES table. From the exhibit, both ANALYST and REPORTING have the SELECT privilege on the SALES table (as shown by the PRIVILEGE column set to SELECT and GRANTED_ON set to TABLE for NAME = SALES). To enforce the requirement, the extra SELECT on SALES must be removed from REPORTING, while retaining it for ANALYST.
Conceptually, GRANT adds privileges; REVOKE removes them. Because the problem is that REPORTING has more access than it should, the correct action is a REVOKE on the specific privilege and object for that role, not another GRANT and not a broad change to database-level access.
Topic: Account Setup, Security, and Governance
A security architect must ensure that all interactive users of a Snowflake account authenticate with multi-factor authentication (MFA). The solution should be centrally enforced, not left to each user’s choice, and should work for both existing and new users. Which of the following actions will meet these requirements? (Select TWO.)
Options:
A. Enable Snowflake native MFA and configure the account so that all password-based logins must supply an additional MFA factor
B. Require all users to authenticate with key-pair authentication instead of passwords and disable password authentication at the account level
C. Integrate Snowflake with the corporate identity provider (IdP), require MFA in the IdP, and configure users to sign in to Snowflake only through federated SSO
D. Grant powerful roles such as ACCOUNTADMIN and SECURITYADMIN only to users who have voluntarily enabled MFA, leaving other users without MFA
E. Create a network policy that limits access to Snowflake from corporate IP ranges only, assuming those networks already require MFA for access
Correct answers: A and C
Explanation: To enforce multi-factor authentication (MFA) for all Snowflake users, account administrators must use mechanisms that make MFA a hard requirement for interactive logins, rather than relying on individual users to opt in.
Snowflake supports two main patterns:
When Snowflake is integrated with an IdP and direct password logins are disabled, users can only reach Snowflake through SSO. If the IdP policy requires MFA for that application, every sign-in to Snowflake automatically includes an MFA challenge. This approach centralizes MFA policy in the corporate identity platform.
For local Snowflake users who authenticate directly with username and password, native MFA can be enabled and required at the account level. This forces users to enroll an MFA device and present a second factor each time they log in with a password, covering both existing and newly created users.
Option review:
Topic: Account Setup, Security, and Governance
How can secure views in Snowflake be used to restrict access to sensitive columns or rows for certain roles?
Options:
A. Grant SELECT on the base table to all roles and rely on secure views to override table privileges and hide sensitive data at query time
B. Create a regular (non-secure) view and rely on Snowflake’s result cache to prevent sensitive data from appearing for roles that should not see it
C. Encrypt the sensitive columns in the base table; any view created on the table automatically hides the encrypted data from unauthorized roles
D. Define a secure view that excludes or filters sensitive data and grant privileges only on the view, while withholding direct access to the underlying table
Best answer: D
Explanation: Secure views in Snowflake are a key data governance feature for protecting sensitive data. They allow you to define a query that returns only specific columns and rows from a base table, and then grant access to that view instead of the underlying table. Roles with privileges only on the secure view can query its restricted result set but cannot directly access or infer the excluded sensitive data.
Critically, secure views are designed for stronger data protection: they ensure the underlying base table data is not exposed indirectly through certain metadata or query history. Governance is achieved by combining the restricted projection/filter in the view with role-based privileges that avoid granting direct access to the base table.
Therefore, the correct use pattern is to create a secure view that omits or filters sensitive information, grant SELECT on that view to the appropriate roles, and withhold SELECT on the base table from those roles.
Use the SnowPro Core COF-C02 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try SnowPro Core COF-C02 on Web View SnowPro Core COF-C02 Practice Test
Read the SnowPro Core COF-C02 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.