Security Checklist for Production Onboarding
Who this is for
Anyone preparing to move production workloads onto CloudAIPilot for the first time, or conducting a security review before go-live.
What you will complete
Complete a structured security checklist covering access controls, AI safety, monitoring, notifications, and data protection — covering everything needed before production go-live.
Before you begin
Complete this checklist after your initial setup (servers provisioned, sites or apps deployed) and before making the environment publicly accessible.
Section 1: Access control
- [ ] Team roles assigned correctly. No developer has Owner access unless they need it. Clients or external stakeholders have Viewer access only.
Go to: Settings → Team Members. See KB-09-02.
- [ ] Production Protection is enabled. AI Pilot cannot perform write actions on production-tagged servers.
Go to: Settings → AI Agent → Agent Controls → Production Protection.
- [ ] Per-server AI access levels reviewed. Production servers are set to Read Only or Full Access as appropriate.
Go to: Settings → AI Agent → Per-Server Access. See KB-07-05.
- [ ] Fine-tune Write Actions reviewed. Only the operations your team needs are enabled for AI Pilot.
Go to: Settings → AI Agent → Agent Controls → Fine-tune Write Actions. See KB-07-04.
Section 2: Monitoring and alerting
- [ ] Alert rules created for all production servers. At minimum: CPU critical at 95%, RAM critical at 95%, disk warning at 80%, disk critical at 90%.
Go to: Alerts → Rules. See KB-06-03.
- [ ] At least one notification channel verified. A test notification was sent and received successfully.
Go to: Settings → Notification Channels. See KB-10-07.
- [ ] Alert escalation configured for critical rules. Critical alerts escalate if not acknowledged within 15–30 minutes.
See KB-06-06.
- [ ] Server monitoring agent active on all production servers. All production servers show live metrics (not grey/no data).
Go to: Monitoring. See KB-06-10.
Section 3: Backup and data protection
- [ ] Backup schedule configured for all production servers. At minimum daily automated backups.
Go to: Backups. See KB-05-03.
- [ ] At least one successful backup exists for each production server. Verify a recent backup is listed and shows "Completed" status.
Go to: Backups. See KB-05-02.
- [ ] Offsite/cloud storage backup configured. At least one copy of backups is in a different location from the server.
Go to: Cloud Storage → Vault. See KB-05-07.
- [ ] Restore procedure tested. You have successfully tested restoring from a backup at least once in a staging environment.
See KB-05-05.
Section 4: Post-quantum security
- [ ] PQC active on all production servers. Security tab on each server shows "Post-quantum encryption active."
Go to: Servers → [Server] → Security tab. See KB-11-03.
- [ ] Keys rotated if needed. For servers provisioned more than 90 days ago, rotate PQC keys.
Go to: Servers → [Server] → Security tab → Rotate Keys.
Section 5: Cloud account security
- [ ] Cloud API credentials use minimum-privilege IAM roles. The IAM role or service account has only the permissions CloudAIPilot actually needs.
See KB-01-05.
- [ ] Cloud account health shows Healthy. No credential or permission warnings.
Go to: Cloud Accounts. See KB-01-08.
Section 6: Final verification
- [ ] Audit log reviewed. No unexpected actions appear in the past 7 days.
Go to: Settings → Audit Log.
- [ ] Production server IP not publicly exposed to SSH from all IPs. SSH access is restricted to known IPs or handled only through the CloudAIPilot control channel.
Go to: Servers → [Server] → Firewall.
- [ ] All team members have been briefed on the approval card process. Anyone who will approve AI actions understands what to check before clicking Allow.
Share: KB-07-02.
You are ready for production when
All items above are checked. No "No data" servers appear in Monitoring. At least one successful backup exists. At least one notification channel is verified. Production Protection is enabled.