Write Permissions Security: Secrets, RBAC, Audits

Overview

Follow these security best practices to ensure your write permissions are configured securely.

Principle of Least Privilege

Only enable the write permissions you actually need. Each permission you enable grants additional access, so:

• Review each permission before enabling it
• Understand what Azure role is required
• Consider using custom roles with minimal permissions
• Regularly audit enabled permissions

Credential Configuration

Review the two credential configuration options and choose the one that best fits your security requirements:

Same Credentials Approach

• Uses your existing read access credentials for write operations
• Simpler to set up and manage
• Trade-off: A compromised credential has both read and write access
• Suitable for: Development, testing, or low-risk environments

Separate Credentials Approach (Recommended)

• Uses dedicated service principals for read and write operations
• Enhanced security through credential isolation
• Follows the principle of least privilege
• Suitable for: Production environments and security-conscious deployments

See the Configuration guide for detailed setup instructions.

Monitor Access

Azure provides audit logs for all actions taken by service principals:

1. Go to Subscriptions > Activity Log in Azure Portal
2. Filter by Caller and select your Spotto write access service principal
3. Review actions taken by Spotto

Regular monitoring helps you:

• Verify that Spotto is only performing expected actions
• Detect any unusual activity
• Maintain compliance with security policies
• Audit automated changes for accountability

Rotate Credentials

Regularly rotate your client secrets:

• Set expiry dates (recommended: 12 months)
• Update credentials in Spotto before expiry
• Azure will notify you before secrets expire

To rotate credentials:

1. Create a new client secret in Azure for your service principal
2. Update the credentials in Spotto Portal
3. Click Validate Credentials to ensure the new credentials work
4. Delete the old client secret in Azure

Revoke Access

To revoke write permissions, you have three options:

Option 1: Disable in Spotto

1. Go to Cloud Accounts in Spotto Portal
2. Edit your cloud account
3. Disable the Write Access toggle
4. Click Save

This is the quickest way to temporarily disable write permissions while keeping the configuration intact.

Option 2: Remove Azure Roles

1. Go to your Azure subscription
2. Navigate to Access Control (IAM)
3. Find your Spotto write access service principal
4. Remove role assignments

This prevents write actions while keeping the service principal for potential future use.

Option 3: Delete Service Principal

1. Go to Entra ID > App registrations
2. Find your Spotto write access app
3. Click Delete

This permanently removes the service principal and all associated credentials.

Regular Security Reviews

Periodically review your write permissions configuration:

• Monthly: Check Activity Logs for unusual patterns
• Quarterly: Review enabled permissions and disable any that are no longer needed
• Annually: Rotate client secrets and review service principal configurations

Additional Recommendations

1. Use separate credentials for production environments
2. Enable Azure Multi-Factor Authentication (MFA) for users who can manage service principals
3. Implement Azure Policy to enforce organizational security standards
4. Document your configuration including which permissions are enabled and why
5. Test in a development environment before enabling write permissions in production
6. Set up alerts for critical actions in Azure Monitor

Troubleshooting

We need tighter audit boundaries for write actions

What you're seeing: Security/compliance requires separating read-only analysis from write operations. Likely causes: Shared credentials make it harder to reason about “who did what” across environments. How to fix:

1. Use separate credentials for write permissions (distinct app registration/service principal).
2. Use a least-privilege custom role (see Custom Roles).
3. Set a rotation policy for the write credential’s client secret and document ownership.

Next Steps

• Custom Roles for Least Privilege - Create minimal permission roles
• Troubleshooting - Resolve common issues
• Configuration - Review or update your configuration

For further assistance, please Contact Us.