HashiCorp Certified: Terraform Associate (003) — Question 3

Your security team scanned some Terraform workspaces and found secrets stored in plaintext in state files. How can you protect that data?

Answer options

• A. Delete the state file every time you run Terraform.
• B. Store the state in an encrypted backend.
• C. Always store your secrets in a secrets.tfvars file.
• D. Edit your state file to scrub out the sensitive data.

Correct answer: B

Explanation

The correct answer is B because utilizing an encrypted backend ensures that sensitive data within the state files is protected from unauthorized access. Option A is ineffective since deleting the state file can lead to loss of necessary infrastructure details. Option C does not directly address the state file issue, and option D is not a reliable solution as it could lead to inconsistencies or errors in the state management.