# Customer-cloud security review packet

Use this as the cover sheet for a customer-cloud deployment review. Attach the generated Terraform, CloudFormation, Helm, IAM, and source artifacts behind it.

## 1. Deployment summary

Customer:

Vendor application:

Environment:

Cloud / platform:

Region:

Deployment model:

- [ ] Push: vendor management service uses a scoped cloud-provider identity.
- [ ] Pull: customer-installed agent connects outbound over HTTPS.
- [ ] Airgapped: releases and telemetry move through an approved offline process.

Install method:

- [ ] Terraform
- [ ] CloudFormation
- [ ] Helm
- [ ] Project-branded CLI
- [ ] Other:

## 2. What will run

List every process, worker, container, function, daemon, or agent that will run in the customer environment.

| Component | Runtime | Purpose | Network access | Reads customer data? |
|---|---|---|---|---|
| | | | | |

Attach:

- Stack definition
- Container image list and digests
- Generated install artifact
- Runtime configuration

## 3. What will be created

List every cloud resource the deployment creates or expects.

| Resource | Cloud-native type | Frozen or live | Created by | Modified after setup? | Delete behavior |
|---|---|---|---|---|---|
| | | | | | |

Notes:

- Frozen resources hold customer data and should not be modified by the vendor after setup.
- Live resources are operated by the vendor and should not contain sensitive payloads unless explicitly approved.

## 4. Permissions

Attach the generated permission policy exactly as the customer will approve it.

| Identity / role | Scope | Allowed actions | Reason | Revocation path |
|---|---|---|---|---|
| | | | | |

Reviewer checks:

- [ ] Permissions are scoped to the isolated area only.
- [ ] No wildcard access to unrelated resources.
- [ ] No read access to storage objects, database rows, or secret values unless explicitly required.
- [ ] Provisioning permissions are used only during setup.
- [ ] Ongoing management permissions are narrower than provisioning permissions.
- [ ] Runtime permissions are scoped per component.
- [ ] If a future release needs new permissions, deployment stops before cloud changes and requires an updated setup artifact.

## 5. Network model

Inbound access:

- [ ] None.
- [ ] Required. Explain:

Outbound access:

| Source | Destination | Protocol | Purpose | Can be disabled? |
|---|---|---|---|---|
| | | | | |

Private access:

| Component | Private system reached | Why it needs access |
|---|---|---|
| | |

## 6. Remote actions

List every remote command, job, or action the vendor can trigger inside the customer environment.

| Command | Handler source file | Inputs | Output returned | Permissions used | Audit location |
|---|---|---|---|---|---|
| | | | | | |

Rules:

- No generic shell command unless explicitly approved.
- No arbitrary SQL command unless explicitly approved.
- Command output is part of the data boundary. If the handler returns raw rows, raw rows leave.

## 7. Telemetry

List every log, metric, trace, event, and identifier that leaves the environment.

| Signal | Fields | Destination | Retention | Redaction / masking |
|---|---|---|---|---|
| | | | | |

Reviewer checks:

- [ ] No secrets in logs.
- [ ] No customer payloads unless explicitly approved.
- [ ] Deployment/customer identifiers are documented.
- [ ] Telemetry can be disabled or routed according to the customer contract.

## 8. Updates and rollback

Release source:

Update mechanism:

Approval gates:

Rollback mechanism:

| Scenario | What happens | Who approves | How to verify |
|---|---|---|---|
| Normal update | | | |
| Emergency patch | | | |
| Failed update | | | |
| Rollback | | | |

## 9. Customer controls

| Control | How the customer performs it | Effect |
|---|---|---|
| Pause updates | | |
| Revoke vendor access | | |
| Disable telemetry | | |
| Uninstall deployment | | |
| Export audit logs | | |

## 10. Evidence checklist

Attach these before asking for approval:

- [ ] Stack definition
- [ ] Generated Terraform / CloudFormation / Helm / CLI artifact
- [ ] Generated IAM or cloud permission policy
- [ ] Frozen/live resource table
- [ ] Network egress list
- [ ] Remote command handler list
- [ ] Telemetry contract
- [ ] Update and rollback procedure
- [ ] Revocation and uninstall procedure
- [ ] Support contact and incident process