This question verges upon opinion-based, but I'll try and provide some suggestions based on my experience (which is biased towards PCI but touches on others). It isn't specific to the cloud but I believe there's an equivalence.
Some rules of thumb:
- Attestations / summaries are distributed, reports are generally not
- Policies are more likely shared than distributed
- Formal audits are often subject to distribution limits
Some more information on these ROT:
Audits and scans often come in multiple levels. For example, a PCI audit will result in a ROC (Report On Compliance) and an AOC (Attestation Of Compliance). The former is a fully detailed report, and the latter is a quick summary. The AOC is for distribution, and the ROC is not. And - in the case of PCI - the AOC is not considered fully authoritative; the Service Provider Listing on the card brands' site is what customers are directed to for an authoritative source (compliance can be invalidated within a reports valid timeframe...)
The same is generally true of scans. Detailed scan results, which list items that are not desirable even if they aren't fully non-compliant, are almost never distributed. Top-level reports which list whether or not items existed are pretty much it.
When it comes to policies, these are generally handed out only grudgingly. A common practice is to permit partners to come onsite to view the policies rather than distributing them. This both ensures the security of the policies from distribution and subtly discourages partners from going through the trouble of coming to get them.
This is very one-sided, by the way. I've worked for a large bank which required copies of security policies for company that wanted to integrate anything with them. They're in a position to demand that, and they do. The client of a bank or a service provider, however, lacks the leverage required to demand the same. Also, what I said about the ROC and AOC - the ROC must be handed up the ladder to the Card Brands; that's what it for. But it's never shared downward.
Finally, be aware that limits may apply. If you have a contract, then it may include contractual obligations. Large customers will often demand clauses that allow them access to things, or even to audit the service provider on a regular basis. Some auditors place distribution limits on their full audit report, and in the case of SSAE16 SOC 2 report, distribution is disallowed by default.