The SnowPro Advanced: Security Engineer Certification validates expert-level knowledge of designing, implementing, and operating security in a Snowflake environment. The exam comprehensively covers the features a security engineer designs and manages day to day, including network isolation, encryption architecture, RBAC/DAC, data masking, auditing, and compliance.
| Item | Details |
|---|---|
| Questions | 65 questions (single choice and multiple choice) |
| Duration | 115 minutes |
| Passing Score | 750 out of 1000 |
| Cost | $375 USD |
| Prerequisites | Active SnowPro Core certification |
| Delivery | Pearson VUE (test center or online) |
| Validity | 2 years |
| Recommended Experience | 2+ years of hands-on Snowflake security design and operations |
| Domain | Weight | Key Topics |
|---|---|---|
| 1. Network Security | 20% | Network policies, PrivateLink, VPN, IP restrictions |
| 2. Access Control | 25% | RBAC/DAC, role hierarchy design, masking policies, row access policies |
| 3. Encryption & Key Management | 20% | AES-256, key hierarchy, Tri-Secret Secure, key rotation |
| 4. Audit & Monitoring | 20% | ACCESS_HISTORY, LOGIN_HISTORY, QUERY_HISTORY, audit log analysis |
| 5. Compliance & Governance | 15% | SOC 2, HIPAA, PCI DSS, GDPR, data classification, tag management |
| Setting | Description |
|---|---|
| ALLOWED_IP_LIST | List of IP addresses/CIDRs that are allowed to connect |
| BLOCKED_IP_LIST | IPs to exclude from the ALLOWED_IP_LIST |
| Scope | Account level or user level (user level takes precedence) |
| Caution | If a misconfiguration locks you out, you must contact Snowflake Support |
Snowflake uses an access control model that combines RBAC (Role-Based Access Control) and DAC (Discretionary Access Control).
| Access Control | How It Works | How to Manage |
|---|---|---|
| RBAC | Grant privileges to roles and assign roles to users | GRANT ROLE / GRANT PRIVILEGE |
| DAC | The object creator (owning role) grants privileges to other roles | GRANT ... ON ... TO ROLE |
| Masking Type | Description | How to Apply |
|---|---|---|
| Dynamic Data Masking | Masks column values at query time based on the role | ALTER COLUMN ... SET MASKING POLICY |
| External Tokenization | Tokenizes values via an external service | External Function + masking policy |
| Tag-Based Masking | Applies a masking policy in bulk via a tag | ALTER TAG ... SET MASKING POLICY |
| Layer | Encryption Method | Managed By |
|---|---|---|
| Data files | Encrypted with an AES-256 file key | Auto-managed by Snowflake |
| Table key | Key that encrypts file keys | Auto-managed by Snowflake |
| Account master key | Root key that encrypts table keys | Snowflake-managed (auto-rotated once a year) |
| Composed master key (Tri-Secret Secure) | Customer key + Snowflake key -> composed key | Jointly managed by the customer and Snowflake |
All data is automatically encrypted on write (Encryption at Rest), and network traffic is protected with TLS 1.2 (Encryption in Transit). There is no setting for users to toggle encryption on or off; it is always on.
| View | Contents | Latency |
|---|---|---|
| LOGIN_HISTORY | Login success/failure, authentication method, and IP address | Up to 120 minutes |
| ACCESS_HISTORY | Read/write access history against objects | Up to 3 hours |
| QUERY_HISTORY | Details of every executed query | Up to 45 minutes |
| SESSIONS | Active session information | Up to 3 hours |
| GRANTS_TO_USERS | History of role grants to users | Up to 120 minutes |
For security audits, it's important to detect suspicious login attempts in LOGIN_HISTORY (large numbers of failures in a short window, access from unknown IPs) and analyze unexpected data access patterns in ACCESS_HISTORY.
| Standard | Supported Edition | Required Configuration |
|---|---|---|
| SOC 1 / SOC 2 Type II | All editions | Supported by default |
| HIPAA | Business Critical or higher | BAA execution, encryption, access control, audit logs |
| PCI DSS | Business Critical or higher | Network isolation, encryption, access control, log monitoring |
| FedRAMP Moderate | VPS (for government) | Operate in a FedRAMP-authorized region |
| GDPR | All editions | Data retention policy, data masking, deletion handling |
SnowPro Advanced: Security Engineer
問題 1
Which Snowflake encryption scheme uses a customer-managed key such that, when the customer disables the key, Snowflake itself can no longer access the data?
正解: B
Tri-Secret Secure is an encryption scheme that generates a composed master key by combining a customer-managed key (AWS KMS/Azure Key Vault/GCP Cloud KMS) with a Snowflake-managed key. If the customer disables the key in their own KMS, the composed key can no longer be derived, and Snowflake can no longer decrypt the data either. It is available on Business Critical Edition or higher.
How does the SnowPro Advanced Security Engineer exam differ from the Administrator exam?
The Administrator exam broadly covers overall account operations including security (performance, cost management, data governance, and more), while the Security Engineer exam tests deep knowledge focused specifically on security. Concretely, it covers a security engineer's specialty areas: encryption architecture (AES-256, key hierarchy, Tri-Secret Secure), network isolation (PrivateLink, VPN), designing for compliance requirements (SOC 2, HIPAA, PCI DSS), and audit log analysis (ACCESS_HISTORY, LOGIN_HISTORY).
What is Tri-Secret Secure, and how is it tested on the exam?
Tri-Secret Secure is an encryption scheme that combines three keys: a Snowflake-managed key, a customer-managed key, and a composed master key. Combining the customer's key managed in AWS KMS/Azure Key Vault/GCP Cloud KMS with Snowflake's key means that if the customer disables their key, Snowflake can no longer access the data either. The exam tests that it is available on Business Critical Edition or higher, the behavior when a customer revokes their key, and the setup procedure.
How heavily are compliance topics (SOC 2/HIPAA/PCI DSS) weighted on the Security Engineer exam?
Compliance accounts for roughly 15% of the exam. Expect questions on each compliance standard and the Snowflake edition required (HIPAA/PCI DSS need Business Critical or higher), the necessary configuration (network isolation, encryption, enabling audit logs, access control), and how to execute a BAA (Business Associate Agreement). You don't need to memorize specific clauses, but you do need to understand which Snowflake feature satisfies which requirement of which standard.
Practice with certification-focused question sets
無料で問題を解いてみるNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Snowflake Certifications: All 11 Exams Explained (2026)
Every SnowPro certification — Associate, Core, Specialty, Ad...
Snowflake Exam Difficulty Ranking: All 11 Certs Compared (2026)
All 11 SnowPro exams ranked by difficulty with study-time es...
Snowflake Study Guide: Fastest Pass Route by Exam (2026)
How to pass SnowPro certifications efficiently — official ma...
SnowPro Core (COF-C03): Complete Exam Guide (2026)
Pass the SnowPro Core exam — six domains, scope, sample ques...
SnowPro Associate Platform (SOL-C01): Complete Guide (2026)
The entry-level SnowPro Associate exam — scope, weighting, s...