# Cloud migration readiness checklist (47 controls)

Use during **MAP Assess** / **Mobilize** gate reviews. Mark **Pass**, **Fail**, or **N/A** with evidence link (wiki page, ticket, or artifact path).

## People (10)

| # | Control | Pass criteria | Evidence |
|---|---------|---------------|----------|
| P1 | Executive sponsor named | Single accountable exec on program charter | |
| P2 | Cloud center of excellence or platform team | ≥1 FTE platform owner before wave 1 | |
| P3 | App owner per workload | RACI lists business + technical owner | |
| P4 | Skills plan | Training budget or partner SOW for AWS fundamentals | |
| P5 | Operating model | Run vs build split documented | |
| P6 | Change management | CAB or equivalent for cutovers | |
| P7 | Support model | On-call rotation defined for post-cutover | |
| P8 | Partner scope | MAP/partner roles in RACI if applicable | |
| P9 | Security liaison | Security sign-off on wave plan | |
| P10 | FinOps liaison | Finance reviewer on TCO model | |

## Platform (12)

| # | Control | Pass criteria | Evidence |
|---|---------|---------------|----------|
| PL1 | Organizations root | AWS Organizations enabled | |
| PL2 | Landing zone / Control Tower | Baseline accounts provisioned or dated plan | |
| PL3 | Identity | SSO (Identity Center) or federation design approved | |
| PL4 | Network topology | VPC / TGW / egress pattern documented | |
| PL5 | DNS strategy | Route 53 or hybrid DNS cutover plan | |
| PL6 | CMDB / discovery | Machine-readable dependency map | |
| PL7 | Migration tooling | AMS/MGN, DMS, or Transform path selected | |
| PL8 | Non-prod parity | Dev/stage account strategy | |
| PL9 | Backup / DR | RPO/RPO per tier | |
| PL10 | Observability | Central logging account + retention | |
| PL11 | IaC standard | Terraform/CDK/CloudFormation chosen | |
| PL12 | CI/CD | Deploy pipeline for at least pilot app | |

## Security (13)

| # | Control | Pass criteria | Evidence |
|---|---------|---------------|----------|
| S1 | SCP guardrails | Baseline deny SCPs attached | |
| S2 | GuardDuty | Delegated admin + org trail | |
| S3 | Security Hub | Essentials or documented deferral | |
| S4 | Config | Recorder on all in-scope accounts | |
| S5 | Encryption | KMS keys + rotation policy | |
| S6 | Secrets | No long-lived keys in user-data | |
| S7 | IAM | No shared admin users; break-glass documented | |
| S8 | Data classification | PHI/PCI/PII tags on workloads | |
| S9 | Compliance frameworks | List of in-scope frameworks | |
| S10 | Pen test / IR | IR runbook owner | |
| S11 | Vulnerability mgmt | Inspector or equivalent scope | |
| S12 | WAF / edge | Public app protection plan | |
| S13 | Audit logging | CloudTrail org trail + retention | |

## FinOps (12)

| # | Control | Pass criteria | Evidence |
|---|---------|---------------|----------|
| F1 | Tag policy | Mandatory tags enforced or scheduled | |
| F2 | Cost allocation | CUR + cost categories | |
| F3 | Budgets | Per-account or per-app budgets | |
| F4 | Anomaly detection | Cost Anomaly Detection enabled | |
| F5 | Parallel-run budget | Dual-run weeks costed | |
| F6 | Data transfer model | NAT/egress line items in TCO | |
| F7 | Licensing | BYOL / license mobility reviewed | |
| F8 | Commitment strategy | RI/SP deferral until day-30 post-cutover | |
| F9 | MAP tags | MAP-eligible tag keys defined | |
| F10 | Showback/chargeback | Business unit mapping | |
| F11 | Right-size plan | Day-30 review scheduled | |
| F12 | Decommission | Source DC exit cost in business case | |

**Gate:** Mobilize should not start with &gt;5 **Fail** in Security or Platform pillars.