Blog

Cloud Due Diligence Checklist for PE Transactions

Mark Richman · January 27, 2026

Cloud Due Diligence Checklist for PE Transactions

In hundreds of engagements with PE firms evaluating technology companies, I have developed a structured cloud due diligence framework that surfaces the issues most likely to impact deal economics. This is not a theoretical exercise -- every item on this checklist traces back to a real situation where a missed finding cost an investor real money.

I have organized this checklist into five categories: Cost Management Maturity, Architecture Assessment, Security Posture, Operational Readiness, and Vendor Relationships. For each category, I provide the key questions to ask, what good answers look like, and the financial implications of deficiencies.

You can download the complete checklist in a printable format at /resources.

Category 1: Cost Management Maturity

This category assesses whether the target company has the visibility and discipline to manage cloud spending effectively.

Key questions to ask:

  • What is the total monthly cloud spend, and what has the trend been over the last 12-24 months?
  • What percentage of resources have cost allocation tags? Which tag keys are enforced?
  • Is there a multi-account strategy with spending tracked per account?
  • What is the current Reserved Instance or Savings Plan coverage ratio?
  • Who is accountable for cloud spending? Is there a FinOps function or designated owner?
  • Are there automated alerts or budgets configured for spending anomalies?
  • Can the company provide unit economics (cost per customer, cost per transaction, cost per API call)?

What good looks like: The company can immediately produce a breakdown of cloud spend by product, environment, and team. Tag coverage exceeds 80%. RI/Savings Plan coverage for stable workloads exceeds 60%. There is a named individual or team responsible for cloud cost management, and they conduct monthly reviews.

What bad looks like: The CFO or VP of Engineering cannot answer basic questions about cloud spend composition. The AWS bill is treated as a single line item. No one has ever analyzed Reserved Instance coverage. The monthly bill has grown 30%+ year-over-year with no explanation tied to revenue growth.

Financial implication: Companies with low cost management maturity typically have 25-40% optimization potential. This is both a risk (hidden costs) and an opportunity (post-acquisition value creation).

Category 2: Architecture Assessment

Architecture decisions made years ago compound into significant cost implications. This category evaluates whether the target's cloud architecture is efficient, scalable, and cost-optimized.

Key questions to ask:

  • Is the application cloud-native, or was it a lift-and-shift migration?
  • What is the compute platform? (EC2, ECS, EKS, Lambda, or a mix?)
  • Are workloads containerized? If so, what is the orchestration platform?
  • Is autoscaling implemented for variable workloads? What scaling policies are in place?
  • What database services are used, and how are they sized?
  • How is data stored and tiered? Is there a data lifecycle policy?
  • What is the data transfer architecture? Are there cross-region or cross-AZ transfer costs?
  • Is the architecture multi-tenant or single-tenant? What are the cost implications of each?

What good looks like: The company has a documented architecture with clear rationale for technology choices. Workloads are containerized where appropriate, autoscaling is configured for variable-demand services, databases are right-sized, and there is a clear data lifecycle policy that moves aging data to cheaper storage tiers.

What bad looks like: The architecture is a lift-and-shift from on-premises, running on oversized EC2 instances with no autoscaling. Databases are running on the same instance size they were provisioned with two years ago. There is no data lifecycle policy, and S3 storage costs are growing unchecked at 20-30% per year.

Financial implication: Architectural inefficiency is the largest category of cloud waste by potential dollar impact, but also the most expensive and time-consuming to remediate. Factor 6-18 months and dedicated engineering resources into your plan.

Category 3: Security Posture

Security issues do not directly impact EBITDA, but they represent material risk -- both the risk of a breach (which can be catastrophic) and the risk of compliance gaps that could delay or derail a transaction.

Key questions to ask:

  • Is the AWS environment configured with AWS Organizations and Service Control Policies?
  • Are IAM roles and policies following least-privilege principles?
  • Is MFA enforced for all console access, especially root accounts?
  • Are there any publicly accessible S3 buckets, databases, or other resources?
  • What encryption standards are in place for data at rest and in transit?
  • Is there a vulnerability management program for cloud infrastructure?
  • Are AWS CloudTrail logs enabled and retained for at least 12 months?
  • Is there a documented incident response plan for cloud security events?
  • Has the company undergone any security audits or penetration tests in the last 12 months?

What good looks like: AWS Organizations with SCPs enforcing guardrails across all accounts. Least-privilege IAM with regular access reviews. No publicly accessible resources that should be private. Encryption at rest and in transit as defaults. Active vulnerability scanning and patch management. CloudTrail enabled with centralized logging.

What bad looks like: Single AWS account with root credentials shared among team members. No MFA. Publicly accessible S3 buckets or database ports. No encryption standards. No logging or monitoring. Last security assessment was "never."

Financial implication: A major security breach can cost $1-10M+ in direct costs (incident response, notification, legal) and multiples of that in business impact. Compliance gaps can delay close timelines or create indemnification requirements. Budget $50K-$200K for security remediation if significant gaps are identified.

Category 4: Operational Readiness

This category evaluates whether the company can reliably operate its cloud infrastructure -- which directly impacts uptime, customer satisfaction, and the ability to execute post-acquisition plans.

Key questions to ask:

  • What is the deployment process? How frequently does the company deploy to production?
  • Is there a CI/CD pipeline? What tools are used?
  • What is the monitoring and alerting stack?
  • What has the incident history been over the last 12 months? What were root causes?
  • Is there infrastructure-as-code (IaC)? What percentage of resources are managed by IaC?
  • Are there documented runbooks for common operational procedures?
  • What is the disaster recovery plan? Has it been tested?
  • What are the current SLA commitments to customers, and what has actual uptime been?

What good looks like: Automated CI/CD pipelines with multiple deployments per week. Comprehensive monitoring with proactive alerting. Greater than 80% IaC coverage. Documented and tested DR plan. 99.9%+ actual uptime over the last 12 months.

What bad looks like: Manual deployments requiring SSH access to production servers. Minimal monitoring -- the team learns about outages from customers. No IaC -- resources were created manually through the AWS console. No DR plan. Multiple significant outages in the last 12 months.

Financial implication: Operational immaturity increases the risk of outages (which impact revenue and reputation) and makes post-acquisition changes riskier and slower. It also signals that the engineering team will need investment in tooling and processes before you can execute on more ambitious value creation plans.

Category 5: Vendor Relationships

The commercial relationship with cloud providers is often overlooked in diligence, but it can have meaningful financial implications.

Key questions to ask:

  • Is there an Enterprise Discount Program (EDP) or Private Pricing Agreement in place?
  • What are the terms, commit levels, and expiration dates?
  • Is the company working with an AWS partner or reseller? What are the terms?
  • Are there any cloud marketplace commitments or third-party software licenses tied to the cloud account?
  • What is the AWS support plan level, and what has the actual support utilization been?
  • Are there any pending credits, promotional balances, or outstanding disputes?

What good looks like: An active EDP with terms aligned to actual usage. Clean vendor relationships with documented agreements. Business-level support with demonstrated utilization. Regular engagement with the AWS account team.

What bad looks like: No EDP despite spending that would qualify (typically $1M+ annually). A reseller relationship where the company is paying a markup with no added value. Enterprise support plan ($15,000+/month) with minimal utilization.

Financial implication: EDP negotiations alone can save 5-15% on total cloud spend for qualifying companies. Optimizing support plans and vendor relationships can save an additional $50K-$200K annually.

Putting It All Together

Each of these categories contributes to an overall Cloud Maturity Score that I use to quantify both the risk and the opportunity associated with a target's cloud infrastructure. A low-maturity company is not necessarily a bad investment -- in fact, the optimization opportunity can be a significant source of post-acquisition value creation. But you need to price it correctly and plan for it in your 100-day plan.

Download the complete Cloud Due Diligence Checklist at /resources, including scoring rubrics and recommended follow-up questions for each area.

Ready to evaluate cloud economics in your next deal? Book a free discovery call to discuss your specific situation.

Need help with cloud economics?

Book a free discovery call to discuss how I can help your fund or portfolio company.

Book a Discovery Call