Permissions and Resource Usage in Sprinto Integrations
Introduction
Sprinto relies on various resource permissions from the integrated services on your Sprinto account. These permissions are crucial for Sprinto's operations, such as evaluating automated checks and collecting evidence to meet the requirements of your security compliance program. Apart from assessing checks, Sprinto provides additional functionalities like Slack notifications for communication and pushing tasks to JIRA.
Sprinto may utilize integration partners such as Merge or Truto for specific integrations. These partners assist Sprinto in mapping data inflow using their API endpoints, enhancing the integration experience.
Does Sprinto Access or Modify Data from Integrated Accounts?
In most cases, Sprinto requires only read-only access to the integrated service's resources to perform its operations. However, additional permissions are required in some exception use cases and functionalities, such as sending notifications on platforms like Slack and Teams, pushing tickets in JIRA projects, or creating resource monitoring CloudWatch alarms on AWS.
Sprinto only takes Read-only access from the integrated resources. The resource access is used to run the Sprinto monitors, ensuring the security configurations of these resources meet the compliance requirements.
At Sprinto, we adhere to stringent data security practices to safeguard and preserve customer data. Sprinto complies with industry-leading data security compliance frameworks like SOC Type II, ISO 27001, and GDPR. Visit Sprinto's Trust Center to learn more about Sprinto’s compliance posture.
Permissions Access and Usage
To better understand how Sprinto uses permissions from various resources of your integrated service, refer to the tables below explaining the permissions and their usage for a few of the most widely integrated service providers among our customers.
The intent is to provide transparency regarding Sprinto's permission usage. Each table contains the following fields:
Permission: Permission from the integrated service
Resources: The resources' API endpoints that Sprinto uses for its operations.
Purpose: Reason behind accessing the respective permission
Sprinto check: Sprinto checks that run based on data inflowed by the permission
Visit the Check Configuration page to review all available Sprinto checks on your account.
Refer to the below tables to gain insight into the permissions Sprinto takes during integration, along with the corresponding resources it accesses. Furthermore, you will also learn about the purpose of this access and what compliance checks Sprinto maps to your System:
Google Cloud Platform (GCP):
Sprinto exclusively requests "read-only" access to the following resources to understand their system configurations comprehensively. It's important to note that Sprinto does not read any data stored or processed within these resources. The system configuration helps us to compute the compliance requirements and activate the relevant checks.
Permission
Resources
Purpose
Sprinto checks
Security Reviewer -
The following permission allows Sprinto to list all the resources and apply policies on them.
- Service Accounts
- Users
- Firestore - Enabled - Projects
- Firebase
- Projects
- Cloud Storage Buckets
- Cloud Spanner Instances
- Cloud SQL Instances
- GKE Clusters
- Big Query Datasets
- GKE Node Pools
- Alert Policies (read and create)
- Notification Channels
- Security Center Findings
- KMS Keyrings
- KMS Keys
- Essential contacts
- Log Sinks
- To manage compliance with the cloud infrastructure by fetching resources and monitoring vulnerabilities
- Monitoring detected vulnerabilities
- Staff’s access control
* User should be identified
* GCP Cloud SQL should be encrypted
* GCP Cloud SQL CPU utilization should be monitored
* GCP Cloud SQL memory utilization should be monitored
* GCP Cloud SQL backup should be enabled
* GCP Firestore read frequency should be monitored
* GCP Firestore write frequency should be monitored
* GCP VPC Subnet flow logs should be captured
* GCP Compute instance CPU utilization should be monitored
* GCP bucket storage should be encrypted
* GCP BigQuery storage should be encrypted
* GCP BigQuery should be protected from direct internet traffic.
* GCP Cloud SQL should be protected from direct internet traffic
* GCP Cloud storage bucket should be protected from direct internet traffic
* GCP Cloud Storage should be uniform bucket level access enabled
* GCP Compute instance should be protected from direct internet traffic
* GCP Service account keys should only be GCP-Managed
* GCP Service account User-Managed/External keys are rotated every 90 days or fewer
* GCP Cloud SQL connections requires to use SSL
* GCP KMS encryption keys should be protected from direct internet traffic
* GCP KMS encryption keys should be rotated within 90 days
* GCP essential contacts should be setup
* GCP Sink should be configured for all log entries
* GCP service account should not have admin privilege access
* GCP service account user role/ token creator role should not be assigned at project level
* GCP user should have MFA enabled
* GCP access should be removed for offboarded user
* Production application should be on https
* Production application should be on https
Compute Viewer -
Compute Viewer permission allows us to get the list of Compute Engine resources. We won’t be reading the stored data to these resources.
- Compute Instances
- VPC Networks
- VPC Subnetworks
- Firewalls
- Instance Group Managers
- To manage infrastructure by fetching the compute-related resources
* GCP VPC Subnet flow logs should be captured
* GCP Compute instance CPU utilization should be monitored
* GCP Compute instance should be protected from direct internet traffic
Amazon Web Services (AWS):
Sprinto exclusively requests "read-only" access to the following AWS resources to understand their system configurations comprehensively. It's important to note that Sprinto does not read any data stored or processed from AWS databases. The system configuration helps us to compute the compliance requirements and activate the relevant checks.
Permission
Resource
Purpose
Sprinto checks
SecurityAudit -
The following permission allows Sprinto to access several AWS resources. Refer to the AWS documentation for further details.
- Security Groups
- Elastic cache clusters
- Redshift Clusters
- EC2 instances
- Beanstalk Environments
- VPCs
- Load Balancers
- VPC Flow Logs
- Cloudtrail Instances
- RDS Instances
- S3 Buckets
- IAM Users
- IAM Groups
- IAM Policies
- Guard Duty Incidents
- Elasticsearch Domains
- Load Balancer Target Groups
- MFA Devices
- ECS Clusters
- ECR Repositories
- API Gateway APIs
- SNS Topics
- DynamoDB Tables
- EBS Volumes
- Account Password Policy
- EKS Clusters
- EFS Storage
- Inspector Findings
- FSX File Systems
- Credentials Report
- Account Summary
- To manage compliance with the cloud infrastructure by fetching resources and monitoring vulnerabilities
* Infra entity should be classified
* AWS CloudTrail should be enabled
* AWS load balancer should redirect traffic from http to https
* AWS credentials not used in last 90 days should be disabled
* AWS CloudTrail log file integrity validation should be enabled
* AWS user access keys should not be older than 90 days
* AWS user should have MFA enabled
* AWS root account should have MFA enabled
* AWS CodeCommit user should have MFA enabled
* AWS users should not have attached IAM policies
* AWS account password policy should be configured
* AWS root account usage should be avoided
* AWS GuardDuty should be enabled
* AWS RDS database backup should be enabled
* AWS RDS database storage should be encrypted
* AWS RDS database should be protected from direct internet traffic
* AWS S3 storage bucket should be encrypted
* AWS S3 server access logging should be enabled for important buckets
* AWS S3 bucket should be versioned
* AWS S3 bucket public access should be blocked
* AWS EC2 instance should be protected from direct internet traffic
* AWS Redshift CPU utilization should be monitored
* AWS Redshift cluster should be encrypted
* AWS Redshift cluster backup should be enabled
CloudWatchFullAccess -
The following permission allows Sprinto to access the AWS CloudWatch service, helping in monitoring other AWS services
- AWS CloudWatch
To monitor the critical AWS resources to ensure their availability and integrity.
* AWS RDS database freespace should be monitored
* AWS RDS database CPU utilization should be monitored
* AWS RDS Database freeable memory should be monitored
* AWS RDS database IO utilization should be monitored
* AWS ElastiCache datastore CPU utilization should be monitored
* AWS ElastiCache freeable memory should be monitored
* AWS ElastiCache current connections should be monitored
* AWS EBS health should be monitored
* AWS EC2 instance CPU utilization should be monitored
* AWS Redshift health should be monitored
* AWS DynamoDB write capacity should be monitored
* AWS DynamoDB read capacity should be monitored
* AWS DynamoDB latency should be monitored
* AWS ECS CPU utilization should be monitored
* AWS load balancer latency should be monitored
* AWS classic load balancer latency should be monitored
* AWS load balancer healthy host count should be monitored
* AWS Elasticsearch cluster freespace should be monitored
* AWS load balancer host health should be monitored
* AWS FSX File System freespace should be monitored
* AWS Elasticsearch cluster CPU utilization should be monitored
* AWS Elasticsearch cluster health should be monitored
* AWS SQS messages visibility should be monitored
* AWS Firehose stream throttling should be monitored
* AWS user should have MFA enabled
* AWS access should be removed for offboarded user
AWSSSODirectoryReadOnly -
The following permission allows Sprinto to monitor user logins using the AWS SSO functionality.
- Single Sign-On (SSO) instances
To manage user access control for the following AWS resources.
* AWS access should be removed for offboarded user
AWSSSOReadOnly -
The following permission allows Sprinto to monitor the users that log in to AWS accounts and the permissions grants they have.
- SSO users permission sets
To manage user access control for the following AWS resources.
* AWS access should be removed for offboarded user
LightsailFullAccessPolicy (user created) -
The following permission allows Sprinto to monitor metrics like disk encryption, instances, and alarms on AWS Lightsail service.
- AWS Lightsail Instances
- AWS Lightsail Disks
- AWS Lightsail Alarms
To manage computing instances and storage and alarms from AWS Lightsail.
* AWS Lightsail disk backup should be enabled
* AWS Lightsail instance CPU utilization should be monitored
* AWS Lightsail disk should be encrypted
Microsoft Azure DevOps:
Sprinto exclusively requests "read-only" access to the following Azure DevOps resources to understand their system configurations comprehensively. It's important to note that Sprinto does not read any code stored from Azure DevOps repositories. The system configuration helps us to compute the compliance requirements and activate the relevant checks.
Vso.code - The following permission allows Sprinto to retrieve source code and commit metadata, changesets, branches, and other version control artifacts. The permission also enables to search code and configure notification using service hooks for version control events.
- Repositories
- Policy Configuration
To manage the change management-related compliance requirements.
* Code changes should be reviewed by peers before merging
* Peer review should be enforced for code changes
Vso.build - The following permission allows Sprinto to access build artifacts, including build results, definitions, and results. The permission also helps configure notifications using service hooks for build events.
- Pull Request
- Branches
- Latest Build
- Build Artifacts
To manage the change management-related compliance requirements.
To manage the vulnerabilities detected by the monitoring source.
* Peer review should be enforced for code changes
* Dependency vulnerability scanner SLScan should be running
Vso.memberentitlementmanagement - The following permission helps Sprinto retrieve the user details, licenses, and the projects and extensions they have access to.
- User Entitlement
To manage users' access control.
* Azure DevOps user should be identified
* Azure DevOps access should be removed for offboarded user
Microsoft Azure:
Sprinto exclusively requests "read-only" access to the following Azure resources to understand their system configurations comprehensively. It's important to note that Sprinto does not read any data stored or processed from Azure databases. The system configuration helps us to compute the compliance requirements and activate the relevant checks.
Directory.ReadAll - The following permission allows Sprinto to fetch data from the Azure organization directory, such as users, groups, and apps, without a sign-in user.
- CDN Profiles
- Network Security Groups
- SQL Databases
- Cosmos DB accounts
- Postgres Servers
- Postgres Flexible servers
- SQL Servers
- SQL Flexible Servers
- Key Vault Vaults
- AKS Managed Clusters
- Storage Accounts
- Compute Disks
- Redis Cache
- Databricks workspaces
- Webapp sites
- Container apps
- Data factories
- Analysis service servers
- Defender Alerts
- Flow Logs
To manage vulnerability monitoring on Azure resources.
* Azure CosmosDB latency should be monitored
* Azure CosmosDB should be encrypted
* Azure CosmosDB backup should be enabled
* Azure CosmosDB database should be protected from direct internet traffic
* Azure SQL database should be protected from direct internet traffic
* Azure SQL database memory utilization monitored
* Azure SQL database CPU utilization should be monitored
* Azure SQL database IO utilization should be monitored
* Azure SQL database should be encrypted
* Azure SQL database backup should be enabled
* Azure storage account should be encrypted
* Azure storage account public network access should be disabled
* Azure storage account Minimum TLS version should be version 1.2
* Azure storage account secure transfer required should be enabled
* Azure storage account default network access rule should set to deny
* Azure storage account cross tenant replication should not be enabled
* Azure storage account allow blob anonymous access should be disabled
* Azure Web App is using the latest version of TLS encryption
* Azure Web App Redirects All HTTP traffic to HTTPS in Azure App Service
* Azure VM CPU utilization should be monitored
* Azure activity logs should be archived
* Azure postgreSQL Database Server Infrastructure double encryption should be enabled
* Azure postgreSQL Database Server enforce SSL connection should be enabled
* Azure Cache for Redis CPU utilization should be monitored
* Azure Cache for Redis freeable memory should be monitored
* Azure Cache for Redis client connections should be monitored
* Azure Disk should be encrypted
* Azure Disk backup should be enabled
* Azure Databricks health should be monitored
* Azure Databricks CPU utilization should be monitored
* Azure Databricks workspace should be encrypted
* Azure Databricks workspace backup should be enabled
Admin consent on default directory
Note: Admin consent doesn’t grant admin privileges to modify the existing data. However, it helps Sprinto access the resources at the Org level for Sprinto’s operations. Refer to Microsoft’s documentation on admin consent permission to learn more.
Users
Metric Alerts (read and create)
To manage cloud infrastructure and users' access control.
* All of the Sprinto checks from the Directory.ReadAll permission applies here.
* Azure access should be removed for offboarded user
* User should be identified
Bitbucket:
Sprinto exclusively requests "read-only" access to the following Bitbucket resources to understand their system configurations comprehensively. It's important to note that Sprinto does not read any code stored from Bitbucket repositories. The system configuration helps us to compute the compliance requirements and activate the relevant checks.
Team - The following permission allows Sprinto to fetch the team's details created on the Bitbucket account.
- Workspaces
- Workspace members
- Groups Group Privileges
To manage compliance requirements for code repositories classified as Production and control users’ access.
* Bitbucket user should be identified * Bitbucket access should be removed for offboarded user
* Bitbucket user should have MFA enabled
Pullrequest- The following permission allows Sprinto to detect pull Requests submitted by various users. Sprinto reads the Create, merge, and Decline details for the submitted pull requests. Refer to Bitbucket documentation for more details.
- Pull Requests Pull
- Request Activities
- Download Artifacts
To manage compliance requirements for code repositories classified as Production and monitor vulnerability in these code repositories.
* Code changes should be reviewed by peers before merging
Repository - The following permission helps Sprinto detect the available repositories on the Bitbucket account. Refer to Bitbucket documentation for more details.
- Repositories Branches
To manage compliance requirements for code repositories classified as Production.
* Code repo should be classified * Dependency vulnerability scanner SLScan should be running
Repository:admin - The following permission helps Sprinto to detects the available public and private repositories on the Bitbucket account. The permission also grant acess to the admin features on a repository. Refer to Bitbucket documentation for more details.
To manage compliance requirements for code repositories classified as Production.
* Peer review should be enforced for code changes
* Merging of code changes should require passing status checks
* Branch Protection rules should be enforced for admins
Gitlab:
Sprinto exclusively requests "read-only" access to the following Gitlab resources to understand the users added your account and their roles in the organization. It's important to note that Sprinto does not read any code stored at repositories. The user details helps us to compute the compliance requirements and activate the relevant checks.
Read_api - The following permission grants read-only access to the API, all user groups, projects, the container, and package registries.
- Group Members
- Repositories Merge
- Requests Branches
- Protected Branches
- Merge Request
- Approval Rules Project
- Approval Settings
To manage the compliance needs for change management and users’ access control.
* Code repo should be classified
* Peer review should be enforced for code changes
* Merging of code changes should require passing status checks
* Branch Protection rules should be enforced for admins
* Gitlab users should be identified
* Gitlab access should be removed for offboarded user
* Gitlab user should have MFA enabled
Read_repository - The following permission grants read-only access to the private project repositories using the Git-over-HTTP or the repository files API.
- Job Artifact
To manage the compliance requirements for vulnerability management.
* Dependency vulnerability scanner SLScan should be running
Read_user - The following permission grants read-only access to the user API endpoint, authenticating the user’s profile. The fetched details include username, public email, and full name. The permission also grants read-only access to the API endpoints under the users' category.
- Projects Groups
To manage the compliance needs for change management
The Project Groups resource does not compute Sprinto checks directly but supports other retrieved GitLab resources to validate the Sprinto check's requirements.
Profile - The following permission grants read-only access to the OpenID connect to fetch the users’ profile data.
NA
NA
The Profile resource does not compute Sprinto checks directly but supports other retrieved GitLab resources to validate the Sprinto check's requirements.
GSuite (Identity provider):
Sprinto exclusively requests "read-only" access to the following GSuite resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks.
Admin.directory.user.readonly - The following permission grants Sprinto access to scopes for retrieving users or user aliases.
- User List User Info
- User Image Url User
- Token List
To manage compliance requirements on people management and control users' access.
* User should be identified * Google Workspace user should have MFA enabled * Google Workspace access should be removed for offboarded user
Admin.directory.customer.readonly - The following permission grants Sprinto access to retrieve the customer's details.
- Customer Info
To validate connections built.
The Customer info resource does not compute Sprinto checks directly but supports other retrieved GSuite resources to validate the Sprinto check's requirements.
Microsoft Office 365 (Identity provider):
Sprinto exclusively requests "read-only" access to the following Microsoft Office 365 resources to understand the users added to your account. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks.
User.Read.All - The following permission allows Sprintio to read the users profiles without a signed in user.
- Get Users in TenantUser Image
To manage people-related compliance requirements and users’ access control.
* User should be identified * Office365 access should be removed for offboarded user
Organization.Read.All - The following permission grants Sprinto access to read the organization and related resources without a signed-in user. Related resources include subscribed SKUs and tenant branding information.
- Organization details
Ensures that connection is validated.
The Organization details resource does not compute Sprinto checks directly but supports other retrieved Office 365 resources to validate the Sprinto check's requirements.
Reports.Read.All - The following permission grants Sprinto access to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
- Credential User Registration Details
To manage the infrastructure-related compliance requirements.
* Office365 user should have MFA enabled
Figma (Access management)
Sprinto exclusively requests "read-only" access to the following Figma resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks. Note: Sprinto partnered with Truto.one for retrieved data mapping on Sprinto.
* Authorization used: System for Cross-domain Identity Management (SCIM)
NA - Grant full access to Figma resources.
Note: SCIM grants full access to all resources.
- Users
To manage people-related compliance requirements and users’ access control.
* User should be identified
* Figma access should be removed for offboarded user
Typeform (Access management)
Sprinto exclusively requests "read-only" access to the following Typeform resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks. Note: Sprinto partnered with Truto.one for retrieved data mapping on Sprinto.
* Authorization used: OAuth 2.0
* Used API: Workspaces - Refer to the API documentation for further details.
Permission
Resource
Purpose
Sprinto check
Workspaces:Read - The following permission grants read-only access to all workspaces,
users in the account.
offline - The following permission grants access to receive a refresh token
- Users
- Workspaces
To manage people-related compliance requirements and users’ access control.
* User should be identified
* Typeform access should be removed for offboarded user
Grafana (Access management)
Sprinto exclusively requests "read-only" access to the following Grafana resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks. Note: Sprinto partnered with Truto.one for retrieved data mapping on Sprinto.
* Authorization used: API token
* Used API: Organization Users - Refer to the API documentation for further details.
Organization user reader - To get read access to all the users in an organization.
- Users
To manage people-related compliance requirements and users’ access control.
* User should be identified
* Grafana access should be removed for offboarded user
OpenVPN (Access management)
Sprinto exclusively requests "read-only" access to the following OpenVPN Cloud Connexa resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks. Note: Sprinto partnered with Truto.one for retrieved data mapping on Sprinto.
* Authorization used: OAuth Client Credentials
* Used API: Users, User Groups - Refer to the API documentation for further details.
Permission
Resource
Purpose
Sprinto check
NA - Full access to OpenVPN resources is granted. Note: OpenVPN doesn’t support restricting resource-level access.
- Users
- Groups
To manage people-related compliance requirements and users’ access control.
* User should be identified
* OpenVPN access should be removed for offboarded user
Jira (Access management)
Sprinto exclusively requests "read-only" access to the following Jira resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks. Note: Sprinto partnered with Truto.one for retrieved data mapping on Sprinto.
* Authorization used: OAuth 2.0
* Used API: Users, User Groups, Project Roles - Refer to the API documentation for further details.
jira-user:Read - The following permission grants read-only access to users, user groups,
roles.
- Roles
- Users
- Groups
To manage people-related compliance requirements and users’ access control.
* User should be identified
* Jira access should be removed for offboarded user
Confluence
Sprinto exclusively requests "read-only" access to the following Confluence resources to understand the users added to your account and their roles in the organization. It's important to note that Sprinto does not read any critical user details from these resources. The user details help us to compute the compliance requirements and activate the relevant checks. Note: Sprinto partnered with Truto.one for retrieved data mapping on Sprinto.
* Authorization used: OAuth 2.0
* Used API: Search Users - List, Users - get Groups - Refer to the API documentation for further details.
Permission
Resource
Purpose
Sprinto check
Confluence-user:Read - The following permission grants read-only access to users with
their IDs, and authenticated user information.
- Users
To manage people-related compliance requirements and users’ access control.
* User should be identified
* Confluence access should be removed for offboarded user
Confluence-groups:Read - The following permission grants read-only access to group API.
- Groups
To retrieve the available user group details from confluence for group-based compliance applications.
* User should be identified
* Confluenceaccess should be removed for offboarded user
Content-details:Confluence:Read - To call search endpoint to get access to all the users.
- Users
To manage people-related compliance requirements and users’ access control.
* User should be identified
* Confluenceaccess should be removed for offboarded user
Support
Contact our support team if you have any questions about granting permissions on the listed services or need any assistance.
Last updated