CloudQuery Policies: Create cloud controls with AI for all your resources — every cloud, every account, every IaC or console.

Read the announcement ❯

Read the announcement ❯

Back to blog
Cloud Operations
Governance
Platform Engineering

A 90-Day Roadmap to Cloud Operations Maturity

Joe Karlsson

Joe Karlsson

12 min read

Plans Beat Intentions Every Time #

We've spent ten posts describing the cloud operations gap, how to measure it, and the tools and patterns that close it. But here's what we've seen repeatedly: teams that agree with every word of the strategy still stall at implementation.
The problem isn't knowledge. It's sequencing. When you can see a hundred things to fix, it's hard to know which one to do on Monday morning.
This post solves that. We're laying out a 90-day roadmap, week by week, that takes you from fragmented visibility to automated governance. It's organized into three phases, each building on the previous one. If you've been reading this series and wondering "where do I actually start?", this is the answer.

Phase 1: Foundation (Days 1-30) #

The goal of the first month is simple: see everything. You can't govern what you can't see, and you can't automate what you can't query. 89% of organizations use multiple cloud providers, and most of them can't answer basic questions about what's running across those accounts. Phase 1 fixes that.

Week 1-2: Deploy Cloud Asset Inventory #

Start by getting a cloud asset inventory connected and syncing.
  • Connect all cloud accounts. AWS, Azure, GCP. Start with one provider if connecting everything at once feels overwhelming. You can always expand in week 3.
  • Run your first full sync. This is the moment where you find out how many resources you actually have. It's almost always more than anyone expected.
  • Validate resource counts against known baselines. Compare sync results to what your team believes exists. The delta between belief and reality is your visibility gap, measured in hard numbers.
  • Establish data freshness targets. Daily syncs are the minimum. Hourly is where you want to get. Fresh data is the foundation everything else builds on.
The quickstart guide gets you syncing resources in under 15 minutes. Don't spend two weeks on architecture planning. Get data flowing first, then refine.

Week 3-4: Establish Baseline Visibility #

With inventory data flowing, use it to understand your current state.
  • Run an initial security posture assessment. Use the SQL queries from Part 8 to find public buckets, unencrypted volumes, missing MFA, and open security groups.
  • Identify your top 10 critical misconfigurations. Not all findings are equal. Rank by risk and blast radius. A public S3 bucket in your production account is more urgent than a missing tag in dev.
  • Map resource ownership, even if it's incomplete. Getting to 60% ownership coverage in month one is a win. Perfect coverage is a quarter-two goal.
  • Document what you can now see that was previously invisible. This list becomes ammunition for your Phase 1 progress report.
  • Take the maturity self-assessment from Part 2. Record your baseline scores. You'll retake this in Phase 3 to show improvement.
Phase 1 milestone: Can you answer "how many X do we have across all accounts?" in under 60 seconds for any resource type? If yes, you've built the foundation everything else depends on.

Phase 2: Governance (Days 31-60) #

You can see your infrastructure. Now set the rules for how it should be configured. Phase 2 turns visibility into governance by encoding your security and compliance requirements as policies that run automatically.

Week 5-6: Implement Core Security Policies #

  • Define your top 20 security policies as SQL queries. Start with the CIS benchmark critical controls. These cover the most common audit findings and represent the highest-impact security improvements.
  • Run policies against current state and document findings. You'll likely find hundreds of violations. That's normal. The point isn't to fix everything today. The point is to know what needs fixing and track it.
  • Establish remediation SLAs by severity. Critical findings get 24-hour SLAs. High gets a week. Medium gets a sprint. Low gets tracked for the next quarter. Without SLAs, findings sit in a backlog forever.

Week 7-8: Build Compliance Automation #

  • Map policies to compliance frameworks. SOC 2, CIS, PCI-DSS. Each SQL policy check gets tagged with the controls it satisfies. The same query that finds a misconfiguration now also produces compliance evidence.
  • Schedule policy evaluation. Daily at minimum. This is where you move from "run queries when someone remembers" to "automated checks that run whether anyone thinks about them or not."
  • Build a compliance dashboard showing pass/fail rates over time. The trend line matters more than any single snapshot. Auditors and leadership both respond to charts showing steady improvement.
  • Generate your first automated compliance report. This is a milestone worth celebrating. What used to take weeks of manual evidence collection now takes a query.
  • Implement drift detection and alerting. When a previously compliant resource goes out of compliance, you want to know within hours, not at the next quarterly review.
Phase 2 milestone: Can you generate compliance evidence for any framework in under 1 hour? If the answer used to be "weeks" and it's now "one hour," you've already built the business case for the entire initiative.

Phase 3: Optimization (Days 61-90) #

Visibility and governance are in place. Phase 3 is about closing the loop with automation and proving the value of everything you've built.

Week 9-10: Automate Responses #

  • Implement auto-remediation for your top 5 most common violations. Start with the low-risk, high-frequency stuff: unencrypted EBS volumes in dev accounts, missing required tags, security group rules that are too broad. These are safe to auto-fix and they clear out the noise.
  • Build notification workflows for violations requiring human judgment. Not everything should be auto-remediated. A public-facing production resource with unusual access patterns needs a human to investigate, not a bot to reconfigure.
  • Create exception tracking and set up cost anomaly detection. The eBook includes complete checklists for exception approval workflows and FinOps alerting thresholds for each of these items.

Week 11-12: Measure and Iterate #

  • Retake the maturity self-assessment from Part 2. Compare your scores to the baseline you recorded in Phase 1. This is the single most important metric for leadership.
  • Calculate toil reduction and document ROI for leadership. Cost savings from optimization, risk reduction from faster detection, and time saved from automation. Put dollar figures on all three.
  • Present results to stakeholders. This isn't optional. If you don't show what you've accomplished, the initiative won't get continued investment. The eBook includes a leadership ROI template and presentation structure for this conversation.
Phase 3 milestone: Measurable improvement in your maturity score. Toil reduced by 40% or more from your baseline. If you can walk into a leadership meeting with those numbers, the next quarter's budget conversation is a lot easier.

The Week-by-Week Summary #

WeekFocusKey Deliverable
1-2Deploy inventoryAll cloud accounts connected, first sync complete
3-4Baseline visibilityTop 10 misconfigs identified, maturity assessment recorded
5-6Security policies20 SQL policies running, remediation SLAs established
7-8Compliance automationAutomated reports, drift detection, compliance dashboard
9-10Auto-remediationTop 5 violations auto-fixed, exception workflows live
11-12Measure and reportROI documented, maturity reassessed, next quarter planned

Implementation Tips #

Start small, then expand. Connect one cloud provider first. Get the workflow right with AWS before you add Azure and GCP. Trying to cover everything from day one is the fastest way to stall.
Get quick wins in Weeks 1-2. That first full sync will reveal things nobody knew about. Share those findings. "We found 47 unencrypted EBS volumes nobody knew existed" builds momentum and justifies continued investment better than any slide deck.
Involve security and compliance teams early. They're your biggest advocates, not your adversaries. When you hand them a SQL query that produces compliance evidence in 30 seconds instead of three weeks, they'll fight for your budget in the next planning cycle.
Track metrics from day one. If you don't measure where you start, you can't show improvement. Record baseline maturity scores, time spent on manual tasks, and the number of questions you can't answer. These become your "before" numbers.
Don't try to fix everything at once. Prioritize by risk and impact. A public S3 bucket in a production account is worth more attention than a missing tag in a sandbox. Focus on what matters most, not what's easiest to count.

Four Pitfalls That Derail 90-Day Plans #

We've watched enough teams attempt this roadmap to know where things go wrong.
Boiling the ocean. Trying to cover every resource type from day one. You don't need to inventory every Lambda function, SNS topic, and CloudWatch alarm in week one. Start with the resource types that matter most: compute, storage, networking, IAM. Expand coverage after the foundation is solid.
Skipping the baseline. Without measuring where you start, you can't show improvement. And without showing improvement, you can't justify continued investment. Take the maturity assessment. Record the numbers. You'll thank yourself in 90 days.
Policy without enforcement. Writing policies nobody checks is worse than having no policies at all. It creates a false sense of security. If a policy exists, it should run on a schedule, and violations should route to someone accountable.
Automation without visibility. Trying to auto-remediate before you understand your estate is dangerous. You need to know what's running and why before you start automatically changing things. Phase 1 before Phase 3. Always.

Making the Case to Leadership #

If you need to pitch this roadmap internally, here's the structure that works:
The problem. Only 8% of organizations qualify as highly cloud-mature. The gap between what we think we know and what's actually running costs us time, money, and risk exposure.
The plan. A 90-day roadmap with clear phases, weekly milestones, and measurable outcomes. Not a multi-year initiative. Three months.
The investment. One platform engineering engineer's time for 90 days, plus tooling costs. Compare that to the cost of a single compliance audit overrun, a single security incident from a misconfigured resource, or a single quarter of unattributed cloud spend.
The payoff. Compliance evidence in hours instead of weeks. Security findings in minutes instead of never. Toil reduction measured in engineer-hours per week. And a maturity score you can track quarter over quarter.

Key Takeaways #

  • Phase 1 (Days 1-30) is about visibility. Connect accounts, run first syncs, baseline your maturity. Everything else depends on being able to see what you have
  • Phase 2 (Days 31-60) turns visibility into governance. Encode your requirements as SQL policies, automate compliance checks, and build dashboards that show progress
  • Phase 3 (Days 61-90) closes the loop. Auto-remediate the common stuff, measure improvement, and build the business case for continued investment
  • Start small, track everything, and show results early. Quick wins in the first two weeks build the momentum that carries you through month three
  • Avoid the four common pitfalls. Don't boil the ocean, don't skip the baseline, don't write unenforced policies, and don't automate before you have visibility
The final post in this series turns the qualitative progress from this roadmap into hard numbers. Part 12 covers Cloud Operations Metrics That Matter, giving you a scorecard of metrics that prove the value of cloud operations investment to leadership, finance, and the board.
About This Series: This is Part 11 of our 12-part Cloud Operations Playbook series. Each post builds on the previous, covering the gap between what leadership thinks they know about cloud infrastructure and what's actually running.
Want the complete guide? Download the free 67-page eBook.

FAQ #

How Long Does It Really Take to Implement This Roadmap? #

90 days for the core implementation. Most teams start seeing value in the first two weeks when the initial inventory sync reveals resources they didn't know about. The full governance and automation layers take the remaining time to build out. Some teams move faster, some slower. The week-by-week structure is a guide, not a rigid schedule.

Can I Start with Just One Cloud Provider? #

Yes, and we recommend it. Connect your primary cloud provider first (usually AWS), get the workflow right, and expand to additional providers in subsequent weeks. Trying to connect everything simultaneously adds complexity without adding proportional value in the early stages.

What If We Don't Have a Dedicated Platform Engineering Team? #

You don't need one. A single engineer spending 50% of their time on this roadmap can execute Phase 1 and most of Phase 2. The SQL-based approach means security engineers, SREs, or even infrastructure-savvy DevOps engineers can contribute directly. The skill set is writing SQL and understanding cloud infrastructure, not specialized platform engineering.

How Do We Measure ROI for Leadership? #

Three categories: time saved (hours per week no longer spent on manual inventory, compliance evidence gathering, and security investigations), risk reduction (number of misconfigurations found and remediated, mean time to detect violations), and cost savings (unattributed spend identified, waste eliminated through better visibility). Put dollar figures on each. See Part 12 for a detailed metrics framework.

What Are the Most Common Reasons This Roadmap Fails? #

Trying to do too much too fast is the top failure mode. Teams that attempt to cover every resource type, every compliance framework, and every cloud account in month one usually stall by week three. The second most common failure is not tracking baseline metrics, which makes it impossible to demonstrate improvement. Third is policy without enforcement, where teams write rules but never automate checking them.

How Does This Roadmap Map to the Maturity Model? #

Phase 1 takes most teams from Level 1 (Reactive) to Level 2 (Visible). Phase 2 moves you to Level 3 (Governed). Phase 3 pushes toward Level 4 (Optimized). The maturity self-assessment from Part 2 provides the exact scoring framework. Take it at the start of Phase 1 and again at the end of Phase 3 to measure your progression.

Should We Involve Auditors or Compliance Teams During the 90 Days? #

Involve your internal compliance team from the start. They'll help you prioritize which policies to write first and which compliance frameworks to map to. External auditors don't need to be involved during the 90 days, but showing them your automated compliance reports at the next audit will make the engagement dramatically smoother.
Get the Week-by-Week Checklists and Templates
The free 67-page eBook includes week-by-week checklists for each phase, milestone validation criteria, the complete SQL query library, and a leadership ROI template for your 90-day progress presentation. Have questions? Talk to our team.
Download the free eBook
Turn cloud chaos into clarity

Find out how CloudQuery can help you get clarity from a chaotic cloud environment with a personalized conversation and demo.

CloudQuery Updates, In Your Inbox Weekly

Product

Resources

Legal

© 2026 CloudQuery, Inc. All rights reserved.