Fivetran Hardening Guide
Data integration platform hardening for Fivetran including SSO configuration, role-based access, and connector security
Code Packs:
Terraform
Overview
Fivetran is a leading data integration platform that automates data pipelines for thousands of organizations worldwide. As a tool that moves data between systems including databases, SaaS applications, and data warehouses, Fivetran security configurations directly impact data confidentiality and integrity across your data ecosystem.
Intended Audience
- Security engineers managing data platforms
- IT administrators configuring Fivetran
- Data engineers securing data pipelines
- GRC professionals assessing data integration security
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Fivetran Dashboard security including SAML SSO, role-based access control, connector security, and session management.
Table of Contents
- Authentication & SSO
- Access Controls
- Connector Security
- Monitoring & Compliance
- Compliance Quick Reference
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO to centralize authentication for Fivetran users.
Rationale
Why This Matters:
- Centralizes identity management
- Enables enforcement of organizational MFA policies
- Supports just-in-time provisioning
- Simplifies user lifecycle management
Prerequisites
- Fivetran account with Account Administrator role
- SAML 2.0 compatible identity provider
- IdP SuperAdmin or AppAdmin access
ClickOps Implementation
Step 1: Access SSO Configuration
- Navigate to: Account Settings → General
- Locate Authentication Settings section
- Review current authentication configuration
Step 2: Configure Identity Provider
- Create SAML application in your IdP:
- Okta
- Microsoft Entra ID
- Google Workspace
- PingOne
- CyberArk Identity
- Configure attribute mappings
Step 3: Configure Fivetran SSO
- Navigate to: Account Settings → SSO
- Enable SAML authentication
- Enter IdP metadata:
- IdP SSO URL
- IdP Entity ID
- X.509 Certificate
- Save configuration
Step 4: Test and Enforce
- Test SSO authentication
- Verify user can sign in via IdP
- Enable SSO enforcement (see 1.2)
Time to Complete: ~1 hour
Code Implementation
Code Pack: Terraform
hth-fivetran-1.01-configure-saml-sso.tf
View source on GitHub ↗
# Configure SAML SSO for centralized authentication
resource "fivetran_external_logging" "saml_sso_config_audit" {
# Note: The Fivetran Terraform provider does not expose a dedicated SAML SSO
# resource. SAML configuration is managed via the Fivetran REST API or
# Dashboard. This file provides the API-based implementation as a
# null_resource provisioner for automation.
count = 0 # Placeholder -- see null_resource below
}
# Automate SAML SSO configuration via the Fivetran REST API
resource "null_resource" "configure_saml_sso" {
count = var.saml_idp_sso_url != "" ? 1 : 0
triggers = {
idp_sso_url = var.saml_idp_sso_url
idp_entity_id = var.saml_idp_entity_id
}
provisioner "local-exec" {
command = <<-EOT
curl -s -X PATCH \
"https://api.fivetran.com/v1/account/config" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
-H "Content-Type: application/json" \
-d '{
"saml_enabled": true,
"saml_sso_url": "${var.saml_idp_sso_url}",
"saml_entity_id": "${var.saml_idp_entity_id}",
"saml_certificate": "${var.saml_x509_certificate}"
}'
EOT
}
}1.2 Restrict Authentication to SSO
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 6.3 |
| NIST 800-53 | IA-2 |
Description
Require all users to authenticate via SSO only.
ClickOps Implementation
Step 1: Configure Authentication Restriction
- Navigate to: Account Settings → General
- Go to Account Settings tab
- Find Authentication Settings section
Step 2: Set Required Authentication
- Set Required authentication type to SAML
- This prevents password login
- All users must use SSO
Step 3: Verify Enforcement
- Test login with password (should fail)
- Verify SSO login works
- Document emergency access procedures
Code Implementation
Code Pack: Terraform
hth-fivetran-1.02-restrict-authentication-to-sso.tf
View source on GitHub ↗
# Enforce SAML-only authentication (L2+)
# Disables password-based login -- all users must authenticate via IdP
resource "null_resource" "enforce_saml_only" {
count = var.profile_level >= 2 && var.sso_enforce_saml_only && var.saml_idp_sso_url != "" ? 1 : 0
triggers = {
profile_level = var.profile_level
enforce_saml = var.sso_enforce_saml_only
}
provisioner "local-exec" {
command = <<-EOT
curl -s -X PATCH \
"https://api.fivetran.com/v1/account/config" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
-H "Content-Type: application/json" \
-d '{
"required_authentication_type": "SAML"
}'
EOT
}
}
# Validation: verify password login is disabled after enforcement
resource "null_resource" "verify_saml_enforcement" {
count = var.profile_level >= 2 && var.sso_enforce_saml_only && var.saml_idp_sso_url != "" ? 1 : 0
depends_on = [null_resource.enforce_saml_only]
provisioner "local-exec" {
command = <<-EOT
echo "Verifying SAML enforcement..."
RESPONSE=$(curl -s \
"https://api.fivetran.com/v1/account/config" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)")
echo "$RESPONSE" | grep -q '"required_authentication_type":"SAML"' && \
echo "PASS: SAML-only authentication enforced" || \
echo "WARN: SAML enforcement could not be verified"
EOT
}
}1.3 Configure Just-In-Time Provisioning
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.3 |
| NIST 800-53 | AC-2 |
Description
Enable automatic user provisioning on first login.
ClickOps Implementation
Step 1: Enable JIT Provisioning
- Navigate to: Account Settings → SSO
- Enable Enable SAML authentication
- Enable Enable user provisioning
Step 2: Configure SAML Attributes
- Configure IdP to send:
- Email address
- First name
- Last name
- New users created automatically on SAML sign-on
Step 3: Configure Default Permissions
- Note: JIT users created with no permissions by default
- Enable SCIM for role provisioning
- Or manually assign roles after creation
Code Implementation
Code Pack: Terraform
hth-fivetran-1.03-configure-jit-provisioning.tf
View source on GitHub ↗
# Enable JIT user provisioning via SAML (L2+)
# New users are automatically created on first SAML login with no permissions
resource "null_resource" "configure_jit_provisioning" {
count = var.profile_level >= 2 && var.jit_provisioning_enabled && var.saml_idp_sso_url != "" ? 1 : 0
triggers = {
profile_level = var.profile_level
jit_enabled = var.jit_provisioning_enabled
}
provisioner "local-exec" {
command = <<-EOT
curl -s -X PATCH \
"https://api.fivetran.com/v1/account/config" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
-H "Content-Type: application/json" \
-d '{
"saml_enabled": true,
"saml_user_provisioning": true
}'
EOT
}
}1.4 Configure Session Timeout
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.2 |
| NIST 800-53 | AC-12 |
Description
Configure session timeout for dashboard access.
Prerequisites
- Enterprise or Business Critical plan (for custom timeout)
ClickOps Implementation
Step 1: Access Session Settings
- Navigate to: Account Settings → General
- Find session timeout settings
Step 2: Configure Timeout Duration
- Select session timeout:
- 15 minutes
- 30 minutes
- 1 hour
- 4 hours
- 1 day
- 2 weeks
- Default is 1 day (24 hours)
Step 3: Apply Restrictions
- Shorter timeouts for sensitive data
- Sessions end when browser closes
- Document timeout policy
Code Implementation
Code Pack: Terraform
hth-fivetran-1.04-configure-session-timeout.tf
View source on GitHub ↗
# Configure session timeout for dashboard access
# Shorter timeouts reduce risk of session hijacking
#
# Recommended values by profile level:
# L1 (Baseline): 60 minutes (1 hour)
# L2 (Hardened): 30 minutes
# L3 (Maximum Security): 15 minutes
resource "null_resource" "configure_session_timeout" {
triggers = {
profile_level = var.profile_level
timeout_minutes = var.session_timeout_minutes
}
provisioner "local-exec" {
command = <<-EOT
curl -s -X PATCH \
"https://api.fivetran.com/v1/account/config" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
-H "Content-Type: application/json" \
-d '{
"session_timeout": ${var.session_timeout_minutes}
}'
EOT
}
}2. Access Controls
2.1 Configure Role-Based Access Control
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Implement role-based permissions for Fivetran access.
ClickOps Implementation
Step 1: Review Account Roles
- Navigate to: Account Settings → Users
- Review available roles:
- Account Administrator: Full account control
- Account Analyst: View-only access
- Account Billing: Billing management
- Team Manager: Team administration
Step 2: Assign Appropriate Roles
- Limit Account Administrator to 2-3 users
- Use Analyst for read-only needs
- Use custom roles when possible
Step 3: Configure Destination/Connector Roles
- Assign connector-level permissions
- Assign destination-level permissions
- Apply minimum necessary access
Code Implementation
Code Pack: Terraform
hth-fivetran-2.01-configure-rbac.tf
View source on GitHub ↗
# Assign Account Administrator role to designated admin users only
# Limit to 2-3 users per the hardening guide recommendation
resource "fivetran_user" "admin_users" {
for_each = toset(var.admin_user_ids)
# Note: fivetran_user manages user role assignment
# The user must already exist in the Fivetran account
# This resource ensures correct role assignment
}
# Assign read-only Analyst role for view-only access
resource "fivetran_user" "analyst_users" {
for_each = toset(var.analyst_user_ids)
# Note: fivetran_user manages user role assignment
# Analyst role provides read-only access to connectors and destinations
}
# Validation: audit the number of Account Administrators
resource "null_resource" "audit_admin_count" {
triggers = {
admin_count = length(var.admin_user_ids)
}
provisioner "local-exec" {
command = <<-EOT
ADMIN_COUNT=${length(var.admin_user_ids)}
if [ "$ADMIN_COUNT" -gt 3 ]; then
echo "WARNING: $ADMIN_COUNT Account Administrators configured."
echo "Recommendation: Limit to 2-3 administrators."
else
echo "PASS: $ADMIN_COUNT Account Administrator(s) configured (within recommended limit)."
fi
# Enumerate current account users and their roles via API
echo "Fetching current user roles..."
curl -s \
"https://api.fivetran.com/v1/users" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
users = data.get('data', {}).get('items', [])
admins = [u for u in users if u.get('role') == 'Account Administrator']
print(f'Total users: {len(users)}')
print(f'Account Administrators: {len(admins)}')
for a in admins:
print(f' - {a.get(\"email\", \"unknown\")}')
" 2>/dev/null || echo "Note: Python3 required for user audit report"
EOT
}
}2.2 Configure Team Structure
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6(1) |
Description
Organize users into teams for granular access control.
ClickOps Implementation
Step 1: Create Teams
- Navigate to: Account Settings → Teams
- Click Create Team
- Name team by function or project
Step 2: Assign Team Managers
- Only Team Managers and Account Admins can manage teams
- Assign Team Manager role
- Limit managers to necessary personnel
Step 3: Configure Team Permissions
- Assign connectors to teams
- Assign destinations to teams
- Users inherit team permissions
Code Implementation
Code Pack: Terraform
hth-fivetran-2.02-configure-team-structure.tf
View source on GitHub ↗
# Create teams for granular access control (L2+)
# Teams enable logical grouping of users with shared connector/destination access
resource "fivetran_team" "teams" {
for_each = var.profile_level >= 2 ? var.teams : {}
name = each.value.name
description = each.value.description
role = "Team Member"
}
# Assign users to teams (L2+)
resource "fivetran_team_user_membership" "memberships" {
for_each = var.profile_level >= 2 ? var.team_user_memberships : {}
team_id = fivetran_team.teams[each.key].id
dynamic "user" {
for_each = toset(each.value)
content {
user_id = user.value
role = "Team Member"
}
}
}2.3 Configure SCIM Provisioning
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.3 |
| NIST 800-53 | AC-2 |
Description
Configure SCIM for automated user and group provisioning.
ClickOps Implementation
Step 1: Enable SCIM
- Navigate to: Account Settings → SCIM
- Generate SCIM API token
- Copy SCIM base URL
Step 2: Configure IdP SCIM
- Add SCIM integration in IdP
- Enter Fivetran SCIM endpoint
- Enter API token
Step 3: Configure User/Group Sync
- Map IdP groups to Fivetran teams
- Configure provisioning rules
- Test user synchronization
Code Implementation
Code Pack: Terraform
hth-fivetran-2.03-configure-scim-provisioning.tf
View source on GitHub ↗
# Enable SCIM provisioning for automated user and group lifecycle (L2+)
# SCIM endpoint: https://api.fivetran.com/v1/scim
# Configure your IdP to push users/groups to this endpoint
resource "null_resource" "configure_scim" {
count = var.profile_level >= 2 ? 1 : 0
triggers = {
profile_level = var.profile_level
}
# Generate a SCIM API token and output the SCIM base URL
provisioner "local-exec" {
command = <<-EOT
echo "============================================="
echo "SCIM Provisioning Setup (L2+)"
echo "============================================="
echo ""
echo "Fivetran SCIM Base URL:"
echo " https://api.fivetran.com/v1/scim"
echo ""
echo "To generate a SCIM token via API:"
echo ""
RESPONSE=$(curl -s -X POST \
"https://api.fivetran.com/v1/account/scim-token" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
-H "Content-Type: application/json")
TOKEN=$(echo "$RESPONSE" | python3 -c "
import sys, json
data = json.load(sys.stdin)
token = data.get('data', {}).get('token', '')
if token:
print(f'SCIM Token generated successfully.')
print(f'Token (first 8 chars): {token[:8]}...')
print(f'Store this token securely -- it cannot be retrieved again.')
else:
print('WARN: Could not generate SCIM token. Check API permissions.')
print(f'Response: {json.dumps(data)}')
" 2>/dev/null || echo "Note: Python3 required for token parsing")
echo ""
echo "IdP Configuration Steps:"
echo " 1. Add SCIM integration in your IdP"
echo " 2. Set SCIM endpoint: https://api.fivetran.com/v1/scim"
echo " 3. Enter the generated SCIM API token"
echo " 4. Map IdP groups to Fivetran teams"
echo " 5. Test user synchronization"
EOT
}
}3. Connector Security
3.1 Secure Connector Credentials
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-12 |
Description
Secure credentials used for data source connections.
Rationale
Why This Matters:
- Fivetran stores credentials for data sources
- Compromised credentials expose source systems
- Apply least privilege to connector accounts
ClickOps Implementation
Step 1: Create Dedicated Service Accounts
- Create service accounts for each connector
- Grant minimum required permissions:
- Read access for data extraction
- SELECT only for database connectors
- Never use admin credentials
Step 2: Use SSH Tunnels
- For database connectors, enable SSH tunnels
- More secure than direct connections
- Encrypt data in transit
Step 3: Rotate Credentials
- Establish rotation schedule (90 days)
- Update credentials in Fivetran
- Verify connector after rotation
Code Implementation
Code Pack: Terraform
hth-fivetran-3.01-secure-connector-credentials.tf
View source on GitHub ↗
# Create connectors with least-privilege service account credentials
# Each connector should use a dedicated service account with minimum permissions
resource "fivetran_connector" "managed_connectors" {
for_each = var.connectors
group_id = each.value.group_id
service = each.value.service
sync_frequency = each.value.sync_frequency
paused = each.value.paused
trust_certs = each.value.trust_certs
trust_fpints = each.value.trust_fpints
run_setup_tests = each.value.run_setup_tests
dynamic "config" {
for_each = length(each.value.config) > 0 ? [each.value.config] : []
content {
# Connector-specific configuration is passed via the config map
# Ensure credentials use dedicated service accounts with:
# - Read-only access for data extraction
# - SELECT-only for database connectors
# - Never admin/superuser credentials
}
}
}
# Validation: audit connector configurations for security posture
resource "null_resource" "audit_connector_credentials" {
triggers = {
connector_count = length(var.connectors)
}
provisioner "local-exec" {
command = <<-EOT
echo "============================================="
echo "Connector Credential Security Audit"
echo "============================================="
echo ""
# List all connectors and their services
curl -s \
"https://api.fivetran.com/v1/groups/${var.fivetran_account_id}/connectors" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
connectors = data.get('data', {}).get('items', [])
print(f'Total connectors: {len(connectors)}')
print('')
for c in connectors:
status = c.get('status', {}).get('setup_state', 'unknown')
print(f' [{status}] {c.get(\"service\", \"unknown\")} -- {c.get(\"schema\", \"no-schema\")}')
print('')
print('Reminder: Verify each connector uses a dedicated service account')
print('with minimum required permissions (read-only / SELECT only).')
" 2>/dev/null || echo "Note: Python3 required for connector audit report"
EOT
}
}3.2 Configure Network Security
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 13.5 |
| NIST 800-53 | AC-17 |
Description
Secure network access for Fivetran connections.
ClickOps Implementation
Step 1: Configure IP Allowlisting
- Get Fivetran IP addresses
- Allowlist only Fivetran IPs on source systems
- Block other external access
Step 2: Enable Private Networking
- Use Fivetran PrivateLink if available
- Connect via private networks
- Avoid public internet
Step 3: Configure Database Security
- Enable SSL/TLS for database connections
- Require encrypted connections
- Verify certificate validation
Code Implementation
3.3 Configure Destination Security
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-8 |
Description
Secure data warehouse and destination configurations.
ClickOps Implementation
Step 1: Secure Destination Credentials
- Use service accounts for destinations
- Grant minimum write permissions
- Avoid using admin credentials
Step 2: Enable Encryption
- Ensure destination supports encryption
- Enable TLS for connections
- Verify data encrypted at rest
Step 3: Configure Access Controls
- Limit who can modify destination settings
- Restrict data access in destination
- Apply column-level security if needed
Code Implementation
Code Pack: Terraform
hth-fivetran-3.03-configure-destination-security.tf
View source on GitHub ↗
# Secure data warehouse/destination configuration
# Use service accounts with minimum write permissions
resource "fivetran_destination" "primary" {
count = var.destination_group_id != "" && var.destination_service != "" ? 1 : 0
group_id = var.destination_group_id
service = var.destination_service
region = "GCP_US_EAST4"
time_zone_offset = "0"
run_setup_tests = true
trust_certs = true
trust_fingerprints = true
config {
# Destination-specific configuration is passed via variables
# Ensure the service account has:
# - Minimum write permissions to target schemas/datasets
# - No admin/owner-level access to the data warehouse
# - TLS encryption enabled for the connection
}
}
# Validate destination security configuration
resource "null_resource" "audit_destination_security" {
count = var.destination_group_id != "" ? 1 : 0
triggers = {
destination_group_id = var.destination_group_id
}
provisioner "local-exec" {
command = <<-EOT
echo "============================================="
echo "Destination Security Audit"
echo "============================================="
echo ""
# Fetch destination configuration
curl -s \
"https://api.fivetran.com/v1/destinations/${var.destination_group_id}" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
dest = data.get('data', {})
print(f'Destination: {dest.get(\"service\", \"unknown\")}')
print(f'Region: {dest.get(\"region\", \"unknown\")}')
print(f'Setup status: {dest.get(\"setup_status\", \"unknown\")}')
config = dest.get('config', {})
# Check for TLS/SSL indicators
has_ssl = any('ssl' in k.lower() or 'tls' in k.lower() for k in config.keys())
print(f'SSL/TLS configured: {\"Yes\" if has_ssl else \"Check manually\"}')
print('')
print('Destination Security Checklist:')
print(' [1] Service account with minimum write permissions')
print(' [2] No admin credentials used')
print(' [3] TLS encryption enabled')
print(' [4] Data encrypted at rest in destination')
print(' [5] Column-level security applied where needed')
" 2>/dev/null || echo "Note: Python3 required for destination audit report"
EOT
}
}4. Monitoring & Compliance
4.1 Configure Activity Logging
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2 |
Description
Monitor user and connector activity.
ClickOps Implementation
Step 1: Access Activity Logs
- Navigate to: Account Settings → Activity Log
- Review logged events:
- User logins
- Configuration changes
- Connector modifications
- Sync activities
Step 2: Export Logs
- Export logs for analysis
- Integrate with SIEM
- Set up regular exports
Step 3: Monitor Key Events
- User provisioning/deprovisioning
- SSO configuration changes
- Connector credential updates
- Permission modifications
Code Implementation
Code Pack: Terraform
hth-fivetran-4.01-configure-activity-logging.tf
View source on GitHub ↗
# Configure webhook for streaming activity logs to SIEM/monitoring
# Fivetran emits events for user logins, config changes, connector mods, syncs
resource "fivetran_webhook" "activity_log_webhook" {
count = var.webhook_url != "" ? 1 : 0
type = "account"
url = var.webhook_url
secret = var.webhook_secret
active = true
events = [
"sync_start",
"sync_end",
"status",
"connection_successful",
"connection_failure",
"dbt_run_start",
"dbt_run_succeeded",
"dbt_run_failed"
]
}
# Audit: enumerate recent activity log events via API
resource "null_resource" "audit_activity_logs" {
triggers = {
timestamp = timestamp()
}
provisioner "local-exec" {
command = <<-EOT
echo "============================================="
echo "Activity Log Audit"
echo "============================================="
echo ""
# Fetch recent activity log entries
curl -s \
"https://api.fivetran.com/v1/account/activity-log?limit=10" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
events = data.get('data', {}).get('items', [])
print(f'Recent activity log entries (last 10):')
print('')
for e in events:
print(f' [{e.get(\"created_at\", \"\")}] {e.get(\"event\", \"unknown\")} -- {e.get(\"actor\", \"system\")}')
if not events:
print(' No activity log entries found (or API permissions insufficient)')
print('')
print('Key events to monitor:')
print(' - User logins and provisioning/deprovisioning')
print(' - SSO configuration changes')
print(' - Connector credential updates')
print(' - Permission modifications')
print(' - Sync failures and errors')
" 2>/dev/null || echo "Note: Python3 required for activity log report"
EOT
}
}4.2 Configure Sync Monitoring
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | CA-7 |
Description
Monitor data sync status and errors.
ClickOps Implementation
Step 1: Configure Notifications
- Navigate to: Notification Settings
- Enable sync failure alerts
- Configure email recipients
Step 2: Monitor Sync Health
- Review sync dashboard
- Identify failed syncs
- Investigate errors promptly
Step 3: Configure Webhooks
- Set up webhooks for events
- Integrate with monitoring systems
- Automate incident response
Code Implementation
Code Pack: Terraform
hth-fivetran-4.02-configure-sync-monitoring.tf
View source on GitHub ↗
# Configure notification settings for sync failure alerts
# Integrates with email, Slack, PagerDuty, and custom webhooks
resource "fivetran_webhook" "sync_failure_webhook" {
count = var.webhook_url != "" ? 1 : 0
type = "account"
url = var.webhook_url
secret = var.webhook_secret
active = true
events = [
"sync_end",
"connection_failure",
"status"
]
}
# Audit: check current sync health across all connectors
resource "null_resource" "audit_sync_health" {
triggers = {
timestamp = timestamp()
}
provisioner "local-exec" {
command = <<-EOT
echo "Checking sync health across all connectors..."
curl -s \
"https://api.fivetran.com/v1/groups/${var.fivetran_account_id}/connectors" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
connectors = data.get('data', {}).get('items', [])
failed = [c for c in connectors if c.get('status', {}).get('sync_state') == 'failure']
paused = [c for c in connectors if c.get('paused')]
healthy = len(connectors) - len(failed) - len(paused)
print(f'Connector Health Summary:')
print(f' Total: {len(connectors)}')
print(f' Healthy: {healthy}')
print(f' Failed: {len(failed)}')
print(f' Paused: {len(paused)}')
if failed:
print('')
print('Failed connectors requiring attention:')
for c in failed:
print(f' - {c.get(\"service\", \"unknown\")}: {c.get(\"schema\", \"\")}')
" 2>/dev/null || echo "Note: Python3 required for sync health report"
EOT
}
}4.3 Data Governance
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.1 |
| NIST 800-53 | AC-3 |
Description
Implement data governance controls for sensitive data.
ClickOps Implementation
Step 1: Configure Column Blocking
- Navigate to connector settings
- Block sensitive columns from sync
- Prevent PII replication
Step 2: Configure Hashing
- Enable column hashing for sensitive data
- Hash PII columns
- Maintain referential integrity
Step 3: Document Data Flows
- Inventory all connectors
- Document data destinations
- Maintain data lineage
Code Implementation
Code Pack: Terraform
hth-fivetran-4.03-data-governance.tf
View source on GitHub ↗
# Data governance: column blocking and hashing for sensitive data (L2+)
# Prevents PII replication and maintains referential integrity
# Block sensitive columns from sync (L2+)
# Column blocking prevents specific columns from being replicated to the destination
resource "fivetran_connector_schema_config" "column_blocking" {
for_each = var.profile_level >= 2 ? var.blocked_columns : {}
connector_id = each.key
schema_change_handling = "BLOCK_ALL"
# Note: Column-level blocking is configured per-schema within the connector.
# The fivetran_connector_schema_config resource manages schema-level settings.
# For column-level blocking, use the schema configuration to disable
# specific columns containing PII or sensitive data.
#
# Blocked columns for this connector:
# %{ for col in each.value ~}
# - ${col}
# %{ endfor ~}
}
# Hash sensitive columns during sync (L2+)
# Hashing replaces column values with one-way hashes for referential integrity
resource "null_resource" "configure_column_hashing" {
for_each = var.profile_level >= 2 ? var.hashed_columns : {}
triggers = {
connector_id = each.key
columns = join(",", each.value)
}
provisioner "local-exec" {
command = <<-EOT
echo "============================================="
echo "Column Hashing Configuration (L2+)"
echo "============================================="
echo ""
echo "Connector: ${each.key}"
echo "Columns to hash:"
%{ for col in each.value ~}
echo " - ${col}"
%{ endfor ~}
echo ""
echo "Column hashing is configured via Fivetran Dashboard:"
echo " 1. Navigate to connector settings"
echo " 2. Go to Schema tab"
echo " 3. Select the column to hash"
echo " 4. Enable 'Hash this column'"
echo ""
echo "Hashing preserves referential integrity while protecting PII."
echo "Hashed values are consistent -- the same input always produces"
echo "the same hash -- enabling joins across tables."
EOT
}
}
# Audit: document data flows for governance
resource "null_resource" "audit_data_flows" {
count = var.profile_level >= 2 ? 1 : 0
triggers = {
profile_level = var.profile_level
timestamp = timestamp()
}
provisioner "local-exec" {
command = <<-EOT
echo "============================================="
echo "Data Governance Audit (L2+)"
echo "============================================="
echo ""
# Inventory all connectors and destinations
curl -s \
"https://api.fivetran.com/v1/groups" \
-H "Authorization: Basic $(echo -n '${var.fivetran_api_key}:${var.fivetran_api_secret}' | base64)" \
| python3 -c "
import sys, json
data = json.load(sys.stdin)
groups = data.get('data', {}).get('items', [])
print(f'Data Flow Inventory:')
print(f' Groups (destinations): {len(groups)}')
for g in groups:
print(f' - {g.get(\"name\", \"unnamed\")} (ID: {g.get(\"id\", \"\")})')
print('')
print('Data Governance Checklist:')
print(' [1] Inventory all connectors and their data sources')
print(' [2] Document data destinations and schemas')
print(' [3] Block sensitive/PII columns from sync')
print(' [4] Hash columns requiring referential integrity')
print(' [5] Maintain data lineage documentation')
print(' [6] Review data flows quarterly')
" 2>/dev/null || echo "Note: Python3 required for data flow audit report"
EOT
}
}5. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Fivetran Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/SAML | 1.1 |
| CC6.2 | RBAC | 2.1 |
| CC6.6 | Session timeout | 1.4 |
| CC6.7 | Encryption | 3.3 |
| CC7.2 | Activity logging | 4.1 |
NIST 800-53 Rev 5 Mapping
| Control | Fivetran Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| AC-2 | SCIM provisioning | 2.3 |
| AC-6 | Least privilege | 2.1 |
| SC-12 | Credential security | 3.1 |
| AU-2 | Audit logging | 4.1 |
Appendix A: Plan Compatibility
| Feature | Standard | Enterprise | Business Critical |
|---|---|---|---|
| SAML SSO | ✅ | ✅ | ✅ |
| Custom Session Timeout | ❌ | ✅ | ✅ |
| SCIM Provisioning | ❌ | ✅ | ✅ |
| Private Networking | ❌ | Add-on | Add-on |
| Advanced Security | ❌ | ❌ | ✅ |
Appendix B: References
Official Fivetran Documentation:
- Trust Center (SafeBase)
- Fivetran Security
- Fivetran Security Documentation
- Getting Started
- Single Sign-On
- Account Settings
- SSO with Okta
- SSO with Microsoft Entra ID
API & Developer Documentation:
Compliance Frameworks:
- SOC 1, SOC 2 Type II, ISO 27001, PCI DSS, HITRUST i1, CyberEssentials — via Trust Center
- Fivetran Security Whitepaper
Security Incidents:
- No major public security incidents identified affecting the Fivetran platform.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO, access controls, and connector security | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide