SnowPro Advanced: Architect · 25% of the exam

Account Security and Data Protection: free practice questions

5 sample questions from our 63-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Snowflake exam.

1. A data steward wants to apply an object tag to a table and then verify the tag is correctly propagated. After running: CREATE TAG governance.tags.data_sensitivity ALLOWED_VALUES 'HIGH', 'MEDIUM', 'LOW'; ALTER TABLE finance.public.accounts SET TAG governance.tags.data_sensitivity = 'HIGH'; Which query will correctly confirm the tag assignment on the table?

  • A. SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.TAG_REFERENCES WHERE OBJECT_NAME = 'ACCOUNTS' AND TAG_NAME = 'DATA_SENSITIVITY';
  • B. SELECT SYSTEM$GET_TAG('governance.tags.data_sensitivity', 'finance.public.accounts', 'table');✓ Correct
  • C. SELECT TAG_VALUE FROM INFORMATION_SCHEMA.TAGS WHERE TABLE_NAME = 'ACCOUNTS';
  • D. SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.OBJECT_TAGS WHERE OBJECT_NAME = 'ACCOUNTS';
Explanation

SYSTEM$GET_TAG is the correct function to retrieve the value of a specific tag on a specific object in real time. It accepts the fully qualified tag name, the fully qualified object name, and the object type ('table', 'column', etc.), returning the tag value or NULL if not set. Option A references ACCOUNT_USAGE.TAG_REFERENCES, which is a valid view but has up to a 2-hour data latency (as with all ACCOUNT_USAGE views) and is better suited for bulk auditing rather than immediate verification. Option C is incorrect: INFORMATION_SCHEMA.TAGS is the view for listing tag definitions (metadata about the tags themselves), not for querying which tags are applied to which objects. Option D is incorrect: SNOWFLAKE.ACCOUNT_USAGE.OBJECT_TAGS is not a standard Snowflake view name; the correct view for tag assignments is TAG_REFERENCES.

2. Which of the following ACCOUNT_USAGE views should a security auditor query to determine the specific columns that were projected (returned) in a SELECT query executed against a sensitive table, and NOT just that the table was accessed?

  • A. ACCOUNT_USAGE.QUERY_HISTORY
  • B. ACCOUNT_USAGE.ACCESS_HISTORY✓ Correct
  • C. ACCOUNT_USAGE.LOGIN_HISTORY
  • D. ACCOUNT_USAGE.OBJECT_DEPENDENCIES
Explanation

ACCESS_HISTORY (available on Business Critical and higher) records the base objects accessed by each query, including the specific columns that were read (projected), not just the table. It captures direct object access and lineage down to the column level, making it the correct view for this use case. QUERY_HISTORY records query text and metadata (execution time, bytes scanned, etc.) but does not enumerate which specific columns were accessed. LOGIN_HISTORY tracks authentication events, not data access. OBJECT_DEPENDENCIES tracks compile-time dependencies between objects (e.g., views referencing tables), not runtime column-level access.

3. A company's network security policy mandates that all traffic between its on-premises data center and Snowflake on GCP must traverse a private network path and never cross the public internet. Which Snowflake connectivity option satisfies this requirement on GCP?

  • A. Configuring a Snowflake network policy to allowlist the on-premises egress IP range
  • B. Enabling GCP Private Service Connect (PSC) for the Snowflake account✓ Correct
  • C. Using AWS PrivateLink through a cross-cloud transit gateway
  • D. Encrypting all JDBC connections with TLS 1.2 over the public internet
Explanation

GCP Private Service Connect (PSC) provides a private network path between a customer's VPC and Snowflake's GCP endpoint, ensuring traffic never traverses the public internet—exactly what the policy requires. A network policy IP allowlist restricts who can connect but still routes traffic over the public internet. AWS PrivateLink is an AWS-specific service and cannot be used for GCP-hosted Snowflake accounts. TLS encryption secures data in transit but does not change the routing path; traffic still crosses the public internet.

4. A Snowflake architect wants to prevent any future user from accidentally querying a table that contains raw (unmasked) PII data by ensuring the masking policy cannot be removed without explicit governance approval. Which approach BEST enforces this requirement?

  • A. Grant only the dedicated DATA_GOVERNANCE_ROLE the APPLY privilege on the masking policy and revoke APPLY from all other roles, including SYSADMIN.✓ Correct
  • B. Set the masking policy as FORCE = TRUE in the CREATE MASKING POLICY statement so it cannot be detached.
  • C. Create the masking policy in a separate governance database and use RESTRICT = TRUE when attaching it to the column.
  • D. Attach the masking policy to a column tag rather than directly to the column, so the policy cannot be altered without modifying the tag.
Explanation

The APPLY privilege on a masking policy controls which roles can attach or detach the policy from columns. By granting APPLY only to the DATA_GOVERNANCE_ROLE and revoking it from SYSADMIN (using ALTER ACCOUNT to prevent SYSADMIN from managing policies), you ensure that only approved governance principals can remove or change the policy assignment. Option B is incorrect: FORCE is not a valid parameter for CREATE MASKING POLICY in Snowflake; there is no such immutability flag. Option C is incorrect: RESTRICT = TRUE is not a valid clause for attaching masking policies; it does not exist in Snowflake DDL for this purpose. Option D is partially correct in that tag-based masking ties the policy to the tag, but the tag assignment itself can still be modified by anyone with APPLY TAG privilege, so it does not fully enforce the governance approval requirement without also controlling that privilege.

5. A Snowflake administrator needs to restrict access to a Snowflake account so that connections are only permitted from a specific set of corporate IP ranges. However, the ACCOUNTADMIN role must retain the ability to connect from any IP address during an emergency. Which approach correctly satisfies both requirements?

  • A. Create a network policy with the allowed IP ranges and assign it at the account level. ACCOUNTADMIN is automatically exempt from all network policies.
  • B. Create a network policy with the allowed IP ranges and assign it at the account level. Create a separate, unrestricted network policy and assign it directly to each user with ACCOUNTADMIN.✓ Correct
  • C. Create a network policy with the allowed IP ranges and assign it at the account level. No additional steps are needed because SYSADMIN can bypass account-level network policies.
  • D. Create a network policy with the allowed IP ranges and assign it to every non-ACCOUNTADMIN user individually, leaving no account-level policy in place.
Explanation

In Snowflake, a network policy assigned at the account level applies to all users, including ACCOUNTADMIN. However, a user-level network policy overrides the account-level policy for that specific user. By assigning a separate, unrestricted (or broader) network policy directly to ACCOUNTADMIN users, those users bypass the account-level restriction. Option A is wrong because ACCOUNTADMIN is NOT automatically exempt from network policies. Option C is wrong because SYSADMIN has no special bypass capability for network policies. Option D could work logically but is operationally impractical and still leaves no account-level guardrail, meaning any user without an assigned policy would have no restriction.

58 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free