Introduction

Access history and audit logging help you see who did what and when in your Snowflake account. This is important to keep your data safe and understand user actions.

When you want to check who accessed sensitive data in your Snowflake account.

When you need to find out if someone made changes to your database objects.

When you want to track failed login attempts to detect possible security issues.

When you need to comply with company policies or legal regulations about data access.

When you want to monitor usage patterns to optimize your Snowflake resources.

Commands

This command retrieves the last 5 access events in your Snowflake account, showing who accessed what and when.

Terminal

SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY ORDER BY EVENT_TIMESTAMP DESC LIMIT 5;

Expected OutputExpected

QUERY_ID | EVENT_TIMESTAMP | USER_NAME | OBJECT_NAME | OBJECT_DOMAIN | CLIENT_IP -----------------------------------|----------------------|-----------|-------------|---------------|------------ 01a2b3c4-d5e6-789f-0123-456789abcdef | 2024-06-01 12:34:56 | JDOE | SALES_DATA | TABLE | 192.168.1.10 02b3c4d5-e6f7-890a-1234-56789abcdef0 | 2024-06-01 12:30:22 | AMILLER | CUSTOMER_DB | DATABASE | 192.168.1.11 03c4d5e6-f7a8-901b-2345-6789abcdef01 | 2024-06-01 12:25:10 | JDOE | ORDERS | TABLE | 192.168.1.10 04d5e6f7-a8b9-012c-3456-789abcdef012 | 2024-06-01 12:20:05 | LSMITH | INVENTORY | TABLE | 192.168.1.12 05e6f7a8-b9c0-123d-4567-89abcdef0123 | 2024-06-01 12:15:00 | AMILLER | SALES_DATA | TABLE | 192.168.1.11

This command shows the last 5 login attempts to your Snowflake account, including successes and failures.

Terminal

SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY ORDER BY EVENT_TIMESTAMP DESC LIMIT 5;

Expected OutputExpected

EVENT_TIMESTAMP | USER_NAME | SUCCESS | CLIENT_IP ----------------------|-----------|---------|------------ 2024-06-01 12:35:00 | JDOE | TRUE | 192.168.1.10 2024-06-01 12:33:45 | AMILLER | FALSE | 192.168.1.11 2024-06-01 12:30:00 | LSMITH | TRUE | 192.168.1.12 2024-06-01 12:25:30 | JDOE | TRUE | 192.168.1.10 2024-06-01 12:20:15 | AMILLER | TRUE | 192.168.1.11

This command fetches the last 3 queries run by user JDOE to audit their activity.

Terminal

SELECT * FROM SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY WHERE USER_NAME = 'JDOE' ORDER BY START_TIME DESC LIMIT 3;

Expected OutputExpected

QUERY_ID | START_TIME | QUERY_TEXT | ROWS_PRODUCED -----------------------------------|----------------------|----------------------------------|-------------- 0a1b2c3d-4e5f-6789-0abc-def123456789 | 2024-06-01 12:34:00 | SELECT * FROM SALES_DATA; | 1000 1b2c3d4e-5f67-890a-bcde-f1234567890a | 2024-06-01 12:20:00 | UPDATE ORDERS SET STATUS='SHIPPED' | 50 2c3d4e5f-6789-0abc-def1-234567890abc | 2024-06-01 12:10:00 | DELETE FROM INVENTORY WHERE QTY=0 | 10

Key Concept

If you remember nothing else from this pattern, remember: Snowflake's ACCOUNT_USAGE views let you see detailed records of who accessed your data and when.

Common Mistakes

Trying to query access history without the ACCOUNTADMIN role or proper privileges.

You will get an error or empty results because access to these views is restricted for security.

Use a role with the necessary privileges like ACCOUNTADMIN or a custom role granted access to ACCOUNT_USAGE views.

Assuming access history shows real-time data immediately.

The data in ACCOUNT_USAGE views can be delayed by up to 45 minutes.

Plan audits accordingly and understand that recent events may not appear instantly.

Not filtering or limiting query results, causing very large outputs.

This can slow down queries and make it hard to find relevant information.

Always use filters like USER_NAME, time ranges, or LIMIT clauses to focus your audit.

Summary

Use SELECT queries on SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY to see who accessed data and when.

Check SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY to monitor login attempts and detect failures.

Filter and limit your queries to get relevant audit information efficiently.