Copyable resource

Customer-cloud security review packet

A copyable packet for customer-cloud security review: install artifact, permissions, frozen/live resources, telemetry, commands, and revocation.

Customer-cloud security review packet

Use this as the cover sheet for a customer-cloud deployment review. Attach the generated Terraform, CloudFormation, Helm, IAM, and source artifacts behind it.

1. Deployment summary

Customer:

Vendor application:

Environment:

Cloud / platform:

Region:

Deployment model:

Push: vendor management service uses a scoped cloud-provider identity.
Pull: customer-installed agent connects outbound over HTTPS.
Airgapped: releases and telemetry move through an approved offline process.

Install method:

2. What will run

List every process, worker, container, function, daemon, or agent that will run in the customer environment.

Component	Runtime	Purpose	Network access	Reads customer data?

Attach:

Stack definition
Container image list and digests
Generated install artifact
Runtime configuration

3. What will be created

List every cloud resource the deployment creates or expects.

Resource	Cloud-native type	Frozen or live	Created by	Modified after setup?	Delete behavior

Notes:

Frozen resources hold customer data and should not be modified by the vendor after setup.
Live resources are operated by the vendor and should not contain sensitive payloads unless explicitly approved.

4. Permissions

Attach the generated permission policy exactly as the customer will approve it.

Identity / role	Scope	Allowed actions	Reason	Revocation path

Reviewer checks:

Permissions are scoped to the isolated area only.
No wildcard access to unrelated resources.
No read access to storage objects, database rows, or secret values unless explicitly required.
Provisioning permissions are used only during setup.
Ongoing management permissions are narrower than provisioning permissions.
Runtime permissions are scoped per component.
If a future release needs new permissions, deployment stops before cloud changes and requires an updated setup artifact.

5. Network model

Inbound access:

None.
Required. Explain:

Outbound access:

Source	Destination	Protocol	Purpose	Can be disabled?

Private access:

Component	Private system reached	Why it needs access

6. Remote actions

List every remote command, job, or action the vendor can trigger inside the customer environment.

Command	Handler source file	Inputs	Output returned	Permissions used	Audit location

Rules:

No generic shell command unless explicitly approved.
No arbitrary SQL command unless explicitly approved.
Command output is part of the data boundary. If the handler returns raw rows, raw rows leave.

7. Telemetry

List every log, metric, trace, event, and identifier that leaves the environment.

Signal	Fields	Destination	Retention	Redaction / masking

Reviewer checks:

No secrets in logs.
No customer payloads unless explicitly approved.
Deployment/customer identifiers are documented.
Telemetry can be disabled or routed according to the customer contract.

8. Updates and rollback

Release source:

Update mechanism:

Approval gates:

Rollback mechanism:

Scenario	What happens	Who approves	How to verify
Normal update
Emergency patch
Failed update
Rollback

9. Customer controls

Control	How the customer performs it	Effect
Pause updates
Revoke vendor access
Disable telemetry
Uninstall deployment
Export audit logs

10. Evidence checklist

Attach these before asking for approval:

Copyable resource

Customer-cloud security review packet

A copyable packet for customer-cloud security review: install artifact, permissions, frozen/live resources, telemetry, commands, and revocation.

Customer-cloud security review packet

Use this as the cover sheet for a customer-cloud deployment review. Attach the generated Terraform, CloudFormation, Helm, IAM, and source artifacts behind it.

1. Deployment summary

Customer:

Vendor application:

Environment:

Cloud / platform:

Region:

Deployment model:

Push: vendor management service uses a scoped cloud-provider identity.
Pull: customer-installed agent connects outbound over HTTPS.
Airgapped: releases and telemetry move through an approved offline process.

Install method:

2. What will run

List every process, worker, container, function, daemon, or agent that will run in the customer environment.

Component	Runtime	Purpose	Network access	Reads customer data?

Attach:

Stack definition
Container image list and digests
Generated install artifact
Runtime configuration

3. What will be created

List every cloud resource the deployment creates or expects.

Resource	Cloud-native type	Frozen or live	Created by	Modified after setup?	Delete behavior

Notes:

Frozen resources hold customer data and should not be modified by the vendor after setup.
Live resources are operated by the vendor and should not contain sensitive payloads unless explicitly approved.

4. Permissions

Attach the generated permission policy exactly as the customer will approve it.

Identity / role	Scope	Allowed actions	Reason	Revocation path

Reviewer checks:

Permissions are scoped to the isolated area only.
No wildcard access to unrelated resources.
No read access to storage objects, database rows, or secret values unless explicitly required.
Provisioning permissions are used only during setup.
Ongoing management permissions are narrower than provisioning permissions.
Runtime permissions are scoped per component.
If a future release needs new permissions, deployment stops before cloud changes and requires an updated setup artifact.

5. Network model

Inbound access:

None.
Required. Explain:

Outbound access:

Source	Destination	Protocol	Purpose	Can be disabled?

Private access:

Component	Private system reached	Why it needs access

6. Remote actions

List every remote command, job, or action the vendor can trigger inside the customer environment.

Command	Handler source file	Inputs	Output returned	Permissions used	Audit location

Rules:

No generic shell command unless explicitly approved.
No arbitrary SQL command unless explicitly approved.
Command output is part of the data boundary. If the handler returns raw rows, raw rows leave.

7. Telemetry

List every log, metric, trace, event, and identifier that leaves the environment.

Signal	Fields	Destination	Retention	Redaction / masking

Reviewer checks:

No secrets in logs.
No customer payloads unless explicitly approved.
Deployment/customer identifiers are documented.
Telemetry can be disabled or routed according to the customer contract.

8. Updates and rollback

Release source:

Update mechanism:

Approval gates:

Rollback mechanism:

Scenario	What happens	Who approves	How to verify
Normal update
Emergency patch
Failed update
Rollback

9. Customer controls

Control	How the customer performs it	Effect
Pause updates
Revoke vendor access
Disable telemetry
Uninstall deployment
Export audit logs

10. Evidence checklist

Attach these before asking for approval: