TA-002-P Question #71: Real Exam Question with Answer & Explanation

Question

Your security team scanned some Terraform workspaces and found secrets stored in a plaintext in state files. How can you protect sensitive data stored in Terraform state files?

Options

• ADelete the state file every time you run Terraform
• BStore the state in an encrypted backend
• CEdit your state file to scrub out the sensitive data
• DAlways store your secrets in a secrets.tfvars file.

Explanation

To protect sensitive data found in plaintext within Terraform state files, the recommended approach is to use a remote backend that encrypts the state at rest.

Common mistakes.

• A. Deleting the state file after every run would lead to loss of managed infrastructure tracking, preventing future updates or destruction of resources by Terraform.
• C. Manually editing state files to remove sensitive data is error-prone, unsupported, and risks corrupting the state, which can lead to infrastructure drift or data loss.
• D. Storing secrets in a secrets.tfvars file, if it's plaintext and committed to version control, does not prevent those secrets from being written into the state file during a Terraform run once they are processed.

Concept tested. Securing Terraform state files

Reference. https://developer.hashicorp.com/terraform/language/state/backends#encryption

No community discussion yet for this question.