HashiCorp Certified: Terraform Associate — Question 245

Your security team scanned some Terraform workspaces and found secrets stored in a plaintext in state files.
How can you protect sensitive data stored in Terraform state files?

Answer options

• A. Delete the state file every time you run Terraform
• B. Store the state in an encrypted backend
• C. Edit your state file to scrub out the sensitive data
• D. Always store your secrets in a secrets.tfvars file.

Correct answer: B

Explanation

The correct answer is B because storing the state in an encrypted backend ensures that sensitive data is protected through encryption. Option A is impractical as it would lead to loss of state information. Option C does not provide a reliable solution since manually editing state files can lead to errors or loss of data. Option D is not a secure method for handling secrets, as it still exposes sensitive information in a plaintext format.