# Cloud Change Review Checklist > **Intro:** Use this checklist when the change is primarily in IAM, networking, storage, logging, or managed-service configuration rather than application code. ## Best time to use this checklist Use it for new roles, trust policies, network exposure changes, storage-policy edits, managed database changes, or cluster/platform changes. ## Stop-the-line conditions * broadened IAM trust without a strong reason or short-lived identity model; * public exposure of a storage, API, or control-plane endpoint without compensating controls; * removal or weakening of auditability; * a privilege path that now lets CI/CD or automation reach production more directly than intended. ## Text-first review prompts * Which identity or role changed, and what new action can it now perform? * What network path or public exposure changed? * Does the change affect encryption, logging, retention, or access to sensitive data? * What is the blast radius if this role, security group, bucket policy, or route is wrong? * How will we detect misuse after the change? * Is there a rollback path for the infrastructure change? ## Evidence table | Control area | What to verify | Typical evidence | | ------------- | ------------------------------------------------------------ | ---------------------------------------- | | IAM | Trust policy, principals, and permissions are minimized | role definition, policy diff | | Network | Ingress, egress, and private access assumptions are reviewed | security group diff, route table, policy | | Storage/data | Bucket, object, DB, or key access is restricted and logged | policy diff, audit setting | | Observability | CloudTrail / Activity Log / Audit Logs coverage is preserved | logging config, dashboard | | Rollback | The infrastructure change can be reverted safely | IaC rollback, change ticket | ## Common misses * reviewing only resource config and ignoring who can change it later; * forgetting that network egress can be as important as ingress; * assuming managed-service defaults are already safe; * not asking whether build or deployment identities just gained a new path into production. ## Related pages * [IAM Review Checklist](/learning-labs-interview-and-templates/index-3/iam-review-checklist.md) * [AWS Networking and Policy Baseline](https://github.com/D3One/Product-Security-Gitbook/blob/main/08-infrastructure-and-cloud-security/aws-networking-and-policy-baseline.md) * [Provider-Specific Cloud Attack Chains](/attack-paths-testing-detection-and-hardening/index-1/cloud-attack-chains.md) \---*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/learning-labs-interview-and-templates/index-3/cloud-change-review-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.