HashiCorp Certified: Terraform Associate — Question 212

Your risk management organization requires that new AWS S3 buckets must be private and encrypted at rest. How can Terraform Cloud automatically and proactively enforce this security control?

Answer options

• A. Auditing cloud storage buckets with a vulnerability scanning tool
• B. With a Sentinel policy, which runs before every apply
• C. With an S3 module with proper settings for buckets
• D. By adding variables to each Terraform Cloud workspace to ensure these settings are always enabled

Correct answer: B

Explanation

The correct answer is B because a Sentinel policy can enforce specific rules and checks before any changes are applied, ensuring compliance with the requirement for S3 buckets to be private and encrypted. Options A and C do not provide proactive enforcement but rather reactive measures, while option D relies on manual configuration, which may lead to inconsistencies.