Your security team scanned some Terraform workspaces and found secrets stored in a plaintext in state files. How can you protect sensitive data stored in Terraform state files?
A.
Delete the state file every time you run Terraform
B.
Store the state in an encrypted backend
C.
Edit your state file to scrub out the sensitive data
D.
Always store your secrets in a secrets.tfvars file.
B. Store the state in an encrypted backend
Explanation:
Storing the Terraform state in an encrypted backend is the recommended approach to protect sensitive data. Terraform supports various backends, and using an encrypted backend ensures that the state file is encrypted at rest, adding an extra layer of security.
B, got answer:
To protect sensitive data stored in Terraform state files, you should use an encrypted backend. Storing state in an encrypted backend helps secure sensitive information, such as secrets and access keys, that might be present in the state file. This prevents unauthorized access to sensitive data.
D. Always store your secrets in a secrets.tfvars file: Storing secrets in separate variable files is a common practice, but it doesn't directly address the security of the Terraform state. Even if secrets are in a separate file, protecting the state file is still important.
Confusion between B and D? Check this.
Terraform will still record sensitive values in the state, and so anyone who can access the state data will have access to the sensitive values in cleartext
Ref: https://developer.hashicorp.com/terraform/language/values/variables#suppressing-values-in-cli-output
Variables in any file is still stored in state as plaintext. So D cannot be correct answer. Please vote for correct answer to help others.
Why not D? Setting values with a .tfvars file allows you to separate sensitive values from the rest of your variable values, and makes it clear to people working with your configuration which values are sensitive. However, it requires that you maintain and share the secret.tfvars file with only the appropriate people. You must also be careful not to check .tfvars files with sensitive values into version control.
It cannot be D because the problem is that the secrets are plaintext within your secrets.tfvars file. Think about how you would secure that secrets.tfvars within your group of appropriate people
I disagree, setting values with a .tfvar file is also an option but least recommended. Securing your state file by encryption would only give access to the person or a team that needs it.
B. Store the state in an encrypted backend.
Terraform state files can contain sensitive information such as access keys, passwords, and private keys. To protect this information from unauthorized access, it is important to store the state file securely.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NashP
9 months, 3 weeks agoshefulacertificari
10 months, 1 week agogofavad926
1 year, 1 month agoaanataliya
1 year, 2 months agoNi33
1 year, 6 months agoDKwork
1 year, 5 months agoChrisler
1 year, 2 months agojoyboy23
1 year, 4 months agocamps
1 year, 7 months agoPower123
1 year, 7 months agovadeemkaa
1 year, 11 months agonakikoo
1 year, 11 months agoeduvar4
2 years, 1 month agoAhmad_Terraform
2 years, 4 months agoEltooth
2 years, 4 months ago