Eight prompts to answer before the first call.

What is forcing this conversation now?

Examples: SOC 2 deadline, enterprise security review, buyer-blocker, internal incident, disaster recovery gap, Terraform drift.

Which cloud provider, and what is the rough account scope across production accounts, projects, or subscriptions?

A short phrase like “AWS · 3 production accounts · 1 staging” is enough. Do not write account IDs or ARNs.

Where does production traffic and customer data live today?

Region names or a residency posture (“US-only”, “EU + US”) — no resource identifiers.

How much of the current cloud is reflected in Terraform or another IaC system?

Trusted, partial, stale, missing, or unknown. Pick the honest answer.

When does this need to be in a defensible state?

Audit date, buyer-review date, board cycle, or “no hard deadline yet”.

Who signs off on AWS access, scope, and remediation rollout?

Roles, not names. Examples: CTO, Head of Security, AWS account owner, security partner.

What do you already suspect is broken, missing, or undocumented?

Plain language is fine. Skip security-group IDs, ARNs, and resource identifiers.

Do not include secrets, passwords, tokens, access keys, account IDs, ARNs, IP allowlists, customer data, or production credentials. The fit check and scoping conversation happen before any AWS access is granted.