MyCertStack logoMyCertStack

    1: Accounts and Security

    Designing a Snowflake Account and Database Strategy

    Account topology is the most consequential architectural decision an organization makes when adopting Snowflake. The choice between a single shared account and a federated multi-account topology cascades into RBAC scope, blast radius, replication design, edition selection, cost attribution boundaries, data-sharing patterns, and even how the platform team operates the environment day to day. An architect who treats this decision as a billing-only concern misses that an account is also a security boundary, a feature-gate boundary, a region boundary, and a cloud-provider boundary. Once a workload lands in an account, moving it later requires either an Account Replication failover or a deliberate Listings handoff, neither of which is free in operational cost or in the metadata that gets rebuilt on the target side.

    The driver behind almost every multi-account decision is one of four pressures: regulatory residency (PHI under HIPAA, EU personal data under GDPR, financial workloads under PCI), workload isolation (a runaway analytics workload must not consume credit budgets allocated to a production OLTP-style downstream), edition or feature gating (Tri-Secret Secure must be enabled at account creation on a Business Critical account), or organisational separation (an acquired subsidiary that already runs a Snowflake account and cannot be merged without rewriting RBAC). When none of those four pressures apply, a single-account topology with carefully designed databases and roles is the simpler choice, and the architecture should resist the temptation to fragment accounts purely for vanity reasons such as one-account-per-team naming.

    Single account versus multiple accounts

    A single account holds every database, every warehouse, every user, and every role behind one URL, one login surface, and one credit pool. The benefit is uniform discoverability and a single RBAC graph that any role can traverse to reach any database it has been granted on. The cost is that every blast-radius event (a misapplied global mask, a runaway warehouse, a leaked ACCOUNTADMIN credential) reaches every workload. Multi-account topologies trade discoverability for blast-radius isolation, but at the price of duplicate user provisioning, duplicate network policies, duplicate role hierarchies, and a permanent operational tax on every change that must now be applied N times.

    The decision rule is to start with one account per regulatory boundary, then split per major workload only when an actual isolation requirement exists. A small business with a single jurisdiction and no PHI/PCI workloads almost always runs one account. A large multinational with EU residency, HIPAA workloads, and government-regulated PCI workloads almost always runs three or more accounts: one EU Business Critical account for personal data, one Business Critical account in the customer's home region for PHI, and a separate Business Critical account for any cardholder data scope. The split is driven by what the regulators consider a boundary, not by what the organisational chart looks like.

    💡 Exam Trap: A single Snowflake account can hold multiple databases, multiple warehouses, and multiple environments (dev, test, prod) on its own. Splitting dev from prod does not require splitting accounts. The exam frequently presents a "we need to isolate dev and prod" scenario where the correct answer is database and role separation inside one account, not a multi-account topology.

    ⚠️ Anti-Pattern: Creating one account per business unit "for clarity" with no regulatory or edition driver. The result is N copies of every network policy, N copies of every SAML integration, and a SCIM provisioning surface that has to push every user to every account. The same isolation can be obtained inside a single account with functional roles and credit-monitored warehouses.

    Implications of multiple accounts

    Multi-account topology has five practical implications that an architect must price into the design. Maintainability suffers because every account has its own role hierarchy and its own SCIM-managed user population; changes to a role definition must propagate to every account or drift creeps in over months. Security improves on the blast-radius axis (an ACCOUNTADMIN credential leak is bounded to the affected account) but degrades on the consistency axis (a missing network policy on one account is a hole in the perimeter). Discoverability collapses because cross-account object listing does not exist outside of Listings: a user in account A cannot run a SHOW TABLES IN ACCOUNT B and find the production sales table without a deliberate Listing or Share. Isolation is the goal but it works in both directions: legitimate cross-account analytics now require Secure Direct Shares, Replication, or Listings, each with their own setup overhead.

    Cost attribution becomes simpler at the account level (each account has its own ACCOUNT_USAGE schema and its own credit consumption ledger) but harder at the holistic level (rolling up credits across accounts now requires an Organization-level usage view or a manual aggregation pipeline). Edition selection becomes a per-account choice rather than a one-time platform-level decision: an organisation can run a Business Critical account for PHI alongside a Standard account for dev workloads, paying the higher Business Critical credit multiplier only where the regulatory feature gates demand it. The architect's job is to enumerate which workloads sit at which tier and refuse to overbuy or underbuy edition coverage in the name of a uniform deployment.

    Account hierarchies and groupings under an Organization

    The Organization is the apex tenant-level construct in Snowflake. ORGADMIN is the system-defined role inside the originally-created account that operates on org-level objects: creating new accounts, enabling Database Replication and Account Replication, creating Failover Groups, creating Replication Groups, and managing Org-level Listings. The Organization is identified by a unique name (often the customer's company short-name) and every account sits inside it under an account locator that is unique within the Organization. The account locator combined with the cloud region forms the account identifier used in connection URLs.

    Within an Organization the architect places accounts on a chosen cloud provider and region per account. There is no requirement that all accounts share a provider or region; in fact one of the principal benefits of the Organization construct is that it supports cross-cloud topologies, with an AWS account in AWS_US_EAST_1, an Azure account in AZURE_WESTEUROPE, and a GCP account in GCP_US_CENTRAL1 all belonging to the same Organization and able to participate in cross-cloud replication and Listings. The account hierarchy is flat (Organization contains accounts directly, no intermediate folder); grouping is logical and is implemented via account naming conventions, account tags (where supported), and the assignment of accounts to Failover Groups or Replication Groups for DR purposes.

    -- Run as ORGADMIN in the customer's primary Snowflake account
    USE ROLE ORGADMIN;
    
    -- Inspect the Organization's accounts and their cloud locations
    SHOW ORGANIZATION ACCOUNTS;
    
    -- Create a new Business Critical account in EU West for personal data workloads
    CREATE ACCOUNT acme_eu_prod
     ADMIN_NAME = 'acme_eu_admin'
     ADMIN_PASSWORD = '<set-via-secret-manager>'
     FIRST_NAME = 'EU'
     LAST_NAME = 'Admin'
     EMAIL = 'eu-platform@acme.example'
     MUST_CHANGE_PASSWORD = TRUE
     EDITION = BUSINESS_CRITICAL
     REGION = AWS_EU_WEST_1
     COMMENT = 'EU GDPR-scoped production account';
    
    -- Enable Database Replication between accounts in the same Org
    USE ROLE ACCOUNTADMIN;
    
    ALTER DATABASE sales_prod ENABLE REPLICATION TO ACCOUNTS
     acme.acme_eu_prod,
     acme.acme_dr_prod;
    
    -- On the target account, run as ACCOUNTADMIN to create the replica
    USE ROLE ACCOUNTADMIN;
    CREATE DATABASE sales_prod
     AS REPLICA OF acme.acme_primary.sales_prod
     DATA_RETENTION_TIME_IN_DAYS = 30;
    
    -- Bind the replica to a refresh schedule (serverless)
    ALTER DATABASE sales_prod REFRESH;
    

    Account topology decision flow

    Cloud providers and regions

    Snowflake runs on AWS, Azure, and GCP. The choice of cloud provider per account is driven first by where the source data already lives (egress costs and ingestion latency are the dominant factors for ingest-heavy workloads), second by which cloud provider the organisation has its other workloads on (so that Private Link or Private Service Connect peering is reachable without inter-cloud routing), and third by regional availability of edition tiers and features. Not every Snowflake region supports every edition or every feature; a Government region restricts the list of available Snowflake features and is typically reserved for FedRAMP scoped workloads. The architect's responsibility is to verify the target region supports the required edition before promising it to the business.

    Region selection within a chosen cloud provider is driven by data residency law, by user latency, and by the location of the storage buckets the workload reads from. A workload that ingests from an S3 bucket in us-east-1 should land in a Snowflake account in AWS_US_EAST_1 to keep ingestion inside the cloud-provider backbone and to avoid cross-region transfer charges. Cross-region replication of either databases or whole accounts is supported but adds operational overhead and replication credit consumption. The default is to colocate the Snowflake account with the source storage and stage cross-region copies only for DR or Listings handoffs.

    📊 Limit: Database Replication and Account Replication can both replicate across cloud providers and across regions on Business Critical and higher. The Standard and Enterprise editions support replication, but Failover Groups and client redirect (the DR-grade primary swap) require Business Critical edition. Replication without a failover group still copies data but the cutover step is manual.

    Database and schema strategy

    A database is a security boundary, a backup boundary (Time Travel and Fail-safe are per-object but inherit defaults from the database), and a namespace. A schema is a namespace within a database. The architect designs the database and schema layout so that role grants attach at the database or schema level rather than per-table, future grants propagate cleanly, and data classification tier matches the object's containing namespace. The typical pattern is <domain>_<environment> for the database and <layer> for the schema: sales_prod / bronze, sales_prod / silver, sales_prod / gold, finance_prod / bronze, and so on. Environments live in separate databases rather than separate schemas inside one database, because zero-copy cloning between environments operates cleanly at the database level and a CLONE of a whole database carries Time Travel and tag bindings forward.

    Classification tier maps to the schema or to an object tag attached at the schema level. Public-tier data lands in sales_prod.public_marts, internal-tier data lands in sales_prod.internal_marts, restricted-tier data lands in sales_prod.restricted_marts. The schema name communicates the tier to anyone browsing the catalog, and the tag attached at the schema cascades to every table created inside it so that masking and row-access policies attach via tag inheritance rather than via per-table DDL. Future grants attach at the schema level so that newly created tables automatically inherit the appropriate access role grants without operator intervention.

    -- Schema-tier classification with tag inheritance
    USE ROLE SYSADMIN;
    USE DATABASE sales_prod;
    
    CREATE SCHEMA IF NOT EXISTS bronze
     COMMENT = 'Raw ingest landing zone';
    CREATE SCHEMA IF NOT EXISTS silver
     COMMENT = 'Conformed and cleansed data';
    CREATE SCHEMA IF NOT EXISTS gold_restricted
     COMMENT = 'Restricted-tier analytic marts';
    
    -- Attach a classification tag at the schema, inherited by every contained table
    USE ROLE GOVERNANCE_ADMIN;
    ALTER SCHEMA sales_prod.gold_restricted
     SET TAG governance.classification = 'RESTRICTED';
    
    -- Future grants so newly created tables in this schema auto-grant to the access role
    USE ROLE SECURITYADMIN;
    GRANT SELECT ON FUTURE TABLES IN SCHEMA sales_prod.gold_restricted
     TO ROLE ar_sales_gold_restricted_ro;
    GRANT SELECT, INSERT, UPDATE, DELETE ON FUTURE TABLES IN SCHEMA sales_prod.gold_restricted
     TO ROLE ar_sales_gold_restricted_rw;
    

    💡 Exam Trap: Object Tags applied to a parent (database or schema) cascade DOWN to child objects only for new objects created after the tag was set; existing objects also inherit at read time through the tag lineage view, but tag-based policy attachment evaluates the effective tag at the object. Tag changes on a parent propagate, but they do not retroactively modify child object DDL.

    🎯 Scenario: An architect inherits a single Snowflake account where every team has been given a database named after the team (marketing, sales, finance) with all environments living in schemas inside each database (marketing.dev, marketing.prod). Cloning the prod schema to a dev schema for testing forces a per-schema CLONE call for each environment, and Time Travel windows are inconsistent because retention is tied to the database. The right redesign is to flip the dimension: databases become <domain>_<env> (marketing_prod, marketing_dev), schemas become logical layers, and one CREATE DATABASE marketing_dev CLONE marketing_prod rebuilds the entire dev environment in a single statement.

    ⚠️ Anti-Pattern: Using the PUBLIC schema in every database as a working schema. PUBLIC is created automatically and is accessible to every role with USAGE on the database; production data parked in PUBLIC is one stray GRANT away from being exposed. Always create named schemas with explicit ownership and grant patterns.

    Decision anchor

    Choose a single-account topology when there is one regulatory boundary, no Business-Critical-only feature is required for one subset of workloads while another subset can run cheaper, and the blast radius of an ACCOUNTADMIN compromise is acceptable. Choose multi-account when regulatory residency, edition gating, or hard blast-radius isolation forces the split, and accept the operational cost of duplicating roles, network policies, and SCIM provisioning across the accounts.


    Continue with the interactive course

    Track your progress, jump into practice questions and use the Shark AI tutor inside the Snowflake - SnowPro Advanced Architect learning hub.