12 — Deployment readiness reference — AWS & Azure checklists, prerequisite owners & key contacts.
The following checklists summarise the technical prerequisites and governance steps required before Layerup AI Agents are ready for production deployment in your cloud environment. They are intended for your Enterprise Architecture and Platform Engineering teams to use as the authoritative pre-go-live gate. All checklist items must be confirmed as complete before live application traffic is routed to the agent. Items marked with a Layerup co-owner require coordination with your Layerup Implementation Lead.11.1 AWS deployment readiness checklist
Procurement & Registry (3 items)
Procurement & Registry (3 items)
| checklist item | owner |
|---|---|
| AWS Marketplace subscription active for Layerup AI Agent listing | Your Procurement + AWS Account Team |
| Designated ECR repository created for Layerup container images within your AWS account | Your Platform Engineering |
| Image signing verification policy configured in ECR to enforce Cosign signature validation before pull | Your Security Team |
Security Scanning (2 items)
Security Scanning (2 items)
| checklist item | owner |
|---|---|
| Amazon Inspector enabled on the designated ECR repository for automatic image scanning on push | Your Security Team |
| Inspector findings severity threshold defined and enforced in CI/CD promotion pipeline (block on Critical / High) | Your Security Team + Platform Engineering |
Network & Compute (3 items)
Network & Compute (3 items)
| checklist item | owner |
|---|---|
| Dedicated VPC with private subnets configured for agent compute — no Internet Gateway route from agent subnets | Your Platform Engineering |
VPC Endpoints provisioned for: S3, SQS, Amazon Bedrock, CloudWatch Logs, ECR (both ecr.api and ecr.dkr) | Your Platform Engineering |
| Security Group rules configured for agent compute: no inbound from outside VPC; outbound restricted to VPC endpoint destinations only | Your Security Team |
Encryption & Key Management (3 items)
Encryption & Key Management (3 items)
| checklist item | owner |
|---|---|
| Customer-managed KMS key created and designated for agent data (S3 input/output, CloudWatch Logs, optional intermediate state storage) | Your Security Team |
| S3 input bucket and S3 output bucket created with CMK encryption, versioning enabled, and bucket policies restricting access to agent IAM role only | Your Platform Engineering |
Key access policy confirmed: agent IAM role has kms:Decrypt only — cannot rotate, disable, or delete the key | Your Security Team |
Queuing & Event Infrastructure (2 items)
Queuing & Event Infrastructure (2 items)
| checklist item | owner |
|---|---|
| SQS intake queue and completion queue created with appropriate Dead-Letter Queue (DLQ) configuration and visibility timeout set to accommodate maximum processing time (60 minutes recommended) | Your Platform Engineering |
| EventBridge rules (or S3 Event Notification → SQS trigger) configured to route application packet uploads to the agent trigger | Your Platform Engineering |
Identity & Access (2 items)
Identity & Access (2 items)
| checklist item | owner |
|---|---|
| IAM Execution Role created with least-privilege policy (s3:GetObject/PutObject on designated buckets, bedrock:InvokeModel on approved model ARNs, bedrock:ApplyGuardrail, sqs:ReceiveMessage/DeleteMessage, logs:PutLogEvents, kms:Decrypt) and explicit deny-all for all other permissions | Your Security Team |
| Confirmed: no Layerup personnel hold permanent IAM credentials in your AWS account. Implementation-phase time-limited role revocation plan agreed. | Your Security Team + Layerup |
AI Inference & Guardrails (2 items)
AI Inference & Guardrails (2 items)
| checklist item | owner |
|---|---|
| Amazon Bedrock Guardrail policy configured by your AI Platform team: topic denial policies, PII redaction rules, grounding check enabled, prompt injection protection enabled | Your AI Platform Team |
| Designated Bedrock model ARN approved, access granted in IAM role, and Bedrock service quota confirmed sufficient for expected concurrent case volume | Your AI Platform Team |
Observability & Audit (3 items)
Observability & Audit (3 items)
| checklist item | owner |
|---|---|
| CloudWatch Log Group created with 7-year retention policy and data protection lock (tamper prevention) applied | Your Platform Engineering |
| CloudWatch Metrics dashboard configured for operational monitoring: cases_processed_count, cases_flagged_for_escalation_count, average_processing_time_seconds, guardrail_interventions_count, queue depth | Your Platform Engineering |
| CloudWatch Alarms configured: error rate threshold, queue depth breach, model timeout rate, agent health degradation — with on-call notification routing | Your Platform Engineering |
CI/CD Pipeline (1 item)
CI/CD Pipeline (1 item)
| checklist item | owner |
|---|---|
| Container image promotion pipeline gates configured: Inspector scan gate, regression test gate, approval gate, and post-deploy verification alarm monitoring | Your Platform Engineering |
AOP Onboarding & Governance (4 items)
AOP Onboarding & Governance (4 items)
| checklist item | owner |
|---|---|
| Your organisation’s underwriting SOP documents provided to Layerup implementation team for AOP authoring | Your Underwriting Leadership |
| AOP validation test set (historical cases with known outcomes, minimum 50 cases recommended) provided to Layerup for validation testing | Your Underwriting Leadership |
| AOP stored in your source control system (CodeCommit / GitHub Enterprise) with approval workflow configured for AOP amendments | Your Platform Engineering |
| AOP version confirmed as meeting >99% reproducibility target on validation case set before production go-live | Layerup + Your Underwriting Leadership |
Deployment Strategy & Rollout (3 items)
Deployment Strategy & Rollout (3 items)
| checklist item | owner |
|---|---|
| Blue/Green or Shadow Mode deployment strategy selected and infrastructure configured before first live traffic | Your Platform Engineering + Layerup |
| Initial phase rollout percentage defined — recommended: Phase 1 at 10% of live application volume | Your Underwriting Leadership + Layerup |
| Escalation workflow to human senior underwriter configured and tested: escalation queue routing, SLA assignment, notification to on-call underwriter | Your Underwriting Operations |
11.2 Azure deployment readiness checklist
Procurement & Registry (3 items)
Procurement & Registry (3 items)
| checklist item | owner |
|---|---|
| Azure Marketplace offer subscription active for Layerup AI Agent (Container App offer or Managed Application) | Your Procurement + Microsoft Account Team |
| Azure Container Registry (ACR) instance provisioned within your Azure tenant; geo-replication enabled across designated regions | Your Platform Engineering |
| Azure Defender for Containers enabled on ACR for continuous image scanning | Your Security Team |
Network (3 items)
Network (3 items)
| checklist item | owner |
|---|---|
| Azure Virtual Network with private subnet configured for agent compute — no direct route to public internet from agent subnet | Your Platform Engineering |
| Private Endpoints provisioned for: Azure Blob Storage, Azure Service Bus, Azure OpenAI | Your Platform Engineering |
| Network Security Group (NSG) rules configured: no inbound from outside VNet; outbound restricted to Private Endpoint destinations only | Your Security Team |
Encryption & Key Management (2 items)
Encryption & Key Management (2 items)
| checklist item | owner |
|---|---|
| Azure Key Vault provisioned with CMK for agent data encryption; access policies restrict agent Managed Identity to Secrets User role only | Your Security Team |
| Blob Storage input and output containers configured with CMK encryption and RBAC-scoped access (Managed Identity access only) | Your Platform Engineering |
Queuing & Event Infrastructure (1 item)
Queuing & Event Infrastructure (1 item)
| checklist item | owner |
|---|---|
| Azure Service Bus namespace and queues configured with Dead-Letter Queue; KEDA autoscaling configured on Container Apps environment or AKS HPA configured for SB queue depth | Your Platform Engineering |
Identity & Access (2 items)
Identity & Access (2 items)
| checklist item | owner |
|---|---|
| User-Assigned Managed Identity created with least-privilege RBAC assignments: Blob Data Reader (input), Blob Data Contributor (output), Cognitive Services OpenAI User (specific OpenAI resource), Key Vault Secrets User (designated vault), Monitoring Metrics Publisher (designated workspace) | Your Security Team |
| Confirmed: identity has no subscription-level roles and no access to resources outside explicitly scoped assignments | Your Security Team |
AI Inference & Guardrails (2 items)
AI Inference & Guardrails (2 items)
| checklist item | owner |
|---|---|
| Azure OpenAI resource provisioned within your Azure tenant (not shared/public endpoint); Azure AI Foundry hub configured | Your AI Platform Team |
| Azure AI Content Safety policy configured: harm category classifiers enabled, Prompt Shield enabled, custom blocklists added as required | Your AI Platform Team |
Observability & Audit (2 items)
Observability & Audit (2 items)
| checklist item | owner |
|---|---|
| Log Analytics Workspace configured with 7-year retention and immutability policy; Azure Monitor export to Azure Storage with lifecycle management to archive tier enabled | Your Platform Engineering |
| Azure Monitor Alerts configured for agent health degradation, queue depth breach, and SLA breach — with on-call operations notification routing | Your Platform Engineering |
CI/CD Pipeline (1 item)
CI/CD Pipeline (1 item)
| checklist item | owner |
|---|---|
| Azure DevOps (or GitHub Actions) pipeline gates configured for container image promotion: Defender scan gate, regression test gate, approval gate, and post-deploy monitoring window | Your Platform Engineering |
11.3 Key contacts
| contact | role |
|---|---|
| Layerup Implementation Lead | Primary point of contact for AOP onboarding, integration design, and deployment support. Engaged throughout the implementation phase. |
| Layerup Solutions Engineering | Technical resource for cloud architecture questions, IAM policy review, data pipeline integration design, and VPC / VNet topology guidance. |
| Layerup Security Team | Available to participate in your vendor security review process. Provides SOC 2 Type II report, penetration test results, SBOM documentation, and Cosign signature verification guidance under NDA. |
All Layerup personnel access during the implementation engagement is performed via a time-limited, audited IAM role / Azure PIM assignment that is explicitly revoked upon production go-live. Your security team controls the revocation. After go-live, no Layerup personnel hold access credentials to your production environment.