SnowPro Specialty - Native Apps (NAS-C01) Free Practice Test

Question 1

Consider the following scenario: You are tasked with designing a setup script for a Snowflake Native Application. This script needs to perform several tasks including creating a database role, granting privileges to the role, and creating a schem a. Your application also provides a configuration table that needs to be populated during the setup process. Which of the following set of statements are true regarding the order of operations and security best practices within the setup script? (Choose all that apply)

A. The setup script should always be designed to be idempotent, meaning it can be executed multiple times without causing errors or unintended side effects. Use 'CREATE ... IF NOT EXISTS' where appropriate.

B. It is best practice to create the database role before creating the schema, to immediately grant ownership on the schema to the created role.

C. Setup Scripts should be designed in a way that it requires multiple manual interventions during execution.

D. Populating the configuration table should be done before creating any other objects, as other parts of the application might rely on the configuration during object creation.

E. When granting privileges to the database role, use the 'APPLICATION' keyword to grant privileges on application objects, enhancing security and control.

Correct Answer: A,B,E

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

You are developing a Snowflake Native App that needs to access a secured external API to enrich customer dat a. The API requires an OAuth 2.0 token stored securely. Which of the following approaches would you use within the application manifest and Snowflake objects to securely store and access this token, minimizing exposure and adhering to best practices?

A. Store the OAuth 2.0 token as a cleartext secret in a Snowflake stage and access it using external functions.

B. Store the OAuth 2.0 token directly in the application's manifest file as a PARAMETER. This simplifies access within the application code.

C. Hardcode the OAuth 2.0 token within the application's stored procedures. This ensures the token is readily available.

D. Use Snowflake's SECRET object type to securely store the OAuth 2.0 token. Reference the SECRET object within the application using PARAMETERS in the manifest and utilize function in application code to retrieve it at runtime.

E. Store the OAuth 2.0 token as a masked comment within the application's SQL code. This will provide sufficient obfuscation.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 3

You are developing a Snowflake Native App that requires accessing sensitive user data within the consumer's account. To ensure data privacy and security, you need to implement appropriate access controls. Which of the following approaches is the MOST secure and recommended way to grant your app access to this data, assuming the data is stored in a table named 'user_data' ?

A. Creating a custom role in the consumer account with 'SELECT privilege on the 'user_data' table and granting that role to the application.

B. Granting 'USAGE privilege on the 'user_data' table directly to the application role provided by Snowflake Native App Framework.

C. Defining a secure view that filters the table based on the application role and granting 'SELECT privilege on the secure view to the application role provided by Snowflake Native App Framework.

D. Using a stored procedure with 'EXECUTE AS CALLER that accesses the 'user_data' table. Grant 'EXECUTE privilege on the stored procedure to the application role.

E. Granting 'SELECT privilege directly on the 'user_data' table to the application role provided by Snowflake Native App Framework.

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 4

You are developing a Snowflake Native Application that leverages Snowflake Event Tables to log application events. You notice that while the application is successfully writing events to the event table, consumers are reporting that they cannot query the event table. Assume that you have successfully implemented the logging mechanism in your code and data is being logged. Consider the following manifest section:

Which of the following steps is MOST critical to resolve this issue and ensure consumers can query the event table?

A. The correct approach is not listed, as consumers cannot directly query event tables associated with Snowflake Native Applications for security reasons.

B. Verify that the application role defined in the application manifest has been granted the 'SELECT privilege on the event table within the provider account.

C. Ensure that the consumer account has the 'MONITOR privilege on the application, as this is required to query event tables associated with native applications.

D. Confirm that the event table is explicitly listed in the 'shared_objects' section of the application manifest with the correct 'object_name', 'source_type' set to event_table', and 'privileges' including 'SELECT'.

E. Grant the 'APPLY MASKING POLICY privilege to the application role on the event table to enable consumers to see masked data, and the REFERENCE_USAGE privilege on the database and schema that contains the event table.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

You are developing a Snowflake Native Application that utilizes Snowpark Container Services (SPCS) for its backend processing. The application requires secure access to a specific endpoint hosted within the SPCS environment. You've defined a service in your SPCS compute pool. Which of the following SQL commands is the MOST secure and appropriate way to expose an endpoint for access from within the application's consumer environment, assuming the endpoint requires OAuth authentication?

A. ALTER SERVICE my_service ADD ENDPOINT my_endpoint WITH AUTHENTICATION TYPE = OAUTH;

B. CREATE SERVICE ENDPOINT my_endpoint FOR SERVICE my_service WITH AUTHENTICATION TYPE = SNOWFLAKE_JWT;

C. CREATE SERVICE ENDPOINT my_endpoint FOR SERVICE my_service WITH AUTHENTICATION TYPE = NONE;

D. BIND SERVICE ENDPOINT my_endpoint FOR SERVICE my_service WITH AUTHENTICATION TYPE = OAUTH TO APPLICATION PACKAGE;

E. CREATE SERVICE ENDPOINT my_endpoint FOR SERVICE my_service WITH AUTHENTICATION TYPE = OAUTH;

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

A provider is developing a Snowflake Native App and utilizes event sharing to communicate state changes to consumers. After initial installation, a consumer reports not receiving any event notifications. The provider has verified the event table is populated correctly. Which of the following are the MOST likely reasons for this issue and how can the provider troubleshoot them?

A. The consumer has not refreshed their application instance metadata. Ask the consumer to execute SYSTEM$REFRESH_EXTERNAL_FUNCTIONS() in the application database.

B. The consumer has not explicitly granted the necessary privileges on the event table function to the role used by the app. Instruct the consumer to grant USAGE on the event table function to the app role.

C. Event sharing is inherently unreliable and Snowflake does not guarantee event delivery. The provider should implement alternative polling mechanisms.

D. The event table function is not correctly filtering events based on the consumer's application instance I Review the function logic to ensure proper filtering using APP_INSTANCE_ID().

E. The consumer's event table function does not have the correct security invoker privileges. Grant EXECUTE TASK on the event table function to the consumer role.

Correct Answer: B,D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 7

You're developing a Snowflake Native App with a Streamlit I-Jl. The app needs to read configuration data from a file named within your application package. The file contains sensitive information, and you want to ensure it's only accessible by your application's code and not directly readable by the consumer. What steps would you take to accomplish this?

A. Store 'config.json' in an internal stage and grant the 'READ' privilege on the stage to the consumer's role.

B. Store 'config.json' in a table within your application's schema and grant the 'SELECT' privilege on the table to the consumer's role.

C. Store 'configjson' outside the application package and read it directly from an external stage at runtime.

D. Store 'config.json' within the application package and read it using Python code within a stored procedure. Grant appropriate privileges on the stored procedure, but not on the 'config.json' file or the internal stage.

E. Store 'config.json' within the Streamlit code, and then encode and decode it to the original string when the user invokes the Streamlit application.

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

You are developing a Snowflake Native Application that needs to be deployed across multiple consumer accounts. The application relies on a secure external function (SEF) for real-time data enrichment. The SEF interacts with a third-party API secured with OAuth 2.0. What are the MOST important considerations when designing the setup script for this application to ensure seamless deployment and security in the consumer accounts?

A. The setup script should create an API integration referencing a secret object in the consumer account, allowing the consumer to inject their own credentials post- installation.

B. The setup script should attempt to automatically create the API integration using the provider's credentials, but gracefully handle failures if the consumer's account lacks necessary privileges.

C. The setup script should include instructions for the consumer to manually create and configure the API integration using their own OAuth 2.0 credentials after the application is installed.

D. The setup script should pre-configure the API integration in the provider account and securely share the credentials with consumer accounts during the installation process.

E. The setup script should explicitly create a new API integration with the consumer's credentials, separate from the provider's account. Consumer will manually update credentials.

Correct Answer: A,C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 9

You are developing a Snowflake Native Application that requires secure access to external services for data enrichment. You choose to implement an External Function with API Integration. Which of the following security best practices are MOST important to implement when configuring the API Integration and the External Function to minimize security risks?

A. Store any sensitive credentials required by the external service directly in the External Function's code body for easy access.

B. Disable network policies on the API Integration to avoid accidental blocking of traffic.

C. Grant usage on the API integration to PUBLIC role to allow all users to invoke the external function.

D. Configure 'AWS IAM ROLE ARNS or similar parameters (depending on cloud provider) to grant Snowflake the least privilege access to the specific resources on the external service required by the function.

E. Use the parameter in the API Integration to restrict access to only the trusted IP addresses of the external service.

Correct Answer: D,E

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

A Snowflake Native Application, 'Geolnsights', uses an external API to enrich location data provided by consumers. This API requires an API key for authentication. How can you securely manage and access this API key within the Native Application's code, ensuring that it is not directly exposed in the application package or code repository?

A. Store the API key in an external key management system (e.g., AWS KMS, Azure Key Vault) and retrieve it within the UDF using a custom external function, ensuring the function has appropriate access permissions.

B. Use a Snowflake Secret to store the API key and retrieve it within the application's UDF using the 'SYSTEM$GET SECRET function.

C. Store the API key directly in a configuration file within the application package and encrypt the application package during deployment.

D. Pass the API key as a parameter to the UDF from the consumer's environment.

E. Hardcode the API key within the UDF itself after obfuscating it using a basic encoding algorithm (e.g., Base64).

Correct Answer: A,B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Snowflake SnowPro Specialty - Native Apps (NAS-C01) Free Practice Test