0
0
Terraformcloud~20 mins

State encryption at rest in Terraform - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
State Encryption Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Configuration
intermediate
2:00remaining
Enable encryption for Terraform state in AWS S3 backend
You want to ensure your Terraform state file stored in an AWS S3 bucket is encrypted at rest using AWS-managed keys. Which backend configuration snippet correctly enables this?
A
backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  server_side_encryption = "AES256"
}
B
backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  sse_algorithm = "AES256"
}
C
backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  encrypt = true
}
D
backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  server_side_encryption = true
}
Attempts:
2 left
💡 Hint
Look for the correct attribute name and value to enable AWS S3 server-side encryption with AWS-managed keys.
Architecture
intermediate
2:00remaining
Choosing backend for encrypted Terraform state storage
You want to store Terraform state securely with encryption at rest and easy team access. Which backend choice best meets these requirements?
AUse S3 backend with server-side encryption enabled and DynamoDB for state locking.
BUse HTTP backend with a custom server that encrypts state files before saving.
CUse Terraform Cloud remote backend without additional encryption configuration.
DUse local backend storing state on your laptop's disk with filesystem encryption enabled.
Attempts:
2 left
💡 Hint
Consider managed services that provide encryption and locking out of the box.
security
advanced
2:00remaining
Impact of disabling encryption on Terraform state in S3
What is the most likely outcome if you disable server-side encryption on an existing S3 bucket storing Terraform state files?
ANew state files will be stored unencrypted, exposing sensitive data at rest.
BS3 will automatically encrypt all objects regardless of bucket settings.
CTerraform will refuse to write state files due to missing encryption settings.
DTerraform state files will remain encrypted because existing objects keep their encryption metadata.
Attempts:
2 left
💡 Hint
Think about how S3 encryption settings affect new and existing objects.
service_behavior
advanced
2:00remaining
Behavior of Terraform state encryption with KMS CMK
You configure your S3 backend to use a customer-managed AWS KMS key (CMK) for encrypting Terraform state. What happens if the KMS key is disabled?
ATerraform automatically switches to AWS-managed keys for encryption.
BTerraform can still read and write state files without issues.
CTerraform fails to write new state files but can read existing ones.
DTerraform fails to read and write state files until the key is enabled.
Attempts:
2 left
💡 Hint
Consider how KMS key status affects access to encrypted objects.
Best Practice
expert
3:00remaining
Ensuring Terraform state encryption and access control in multi-account AWS setup
You manage Terraform state in a central AWS account's S3 bucket encrypted with a KMS key. Multiple AWS accounts need to access this state securely. Which approach best ensures encryption at rest and least privilege access?
AUse a KMS key policy granting only the central account access, and replicate state files to each account's bucket.
BConfigure the KMS key policy to allow decrypt/encrypt only for specific IAM roles in each account, and restrict S3 bucket access similarly.
CShare the S3 bucket and KMS key policies to allow all accounts full access to the bucket and key.
DDisable KMS encryption and rely on S3 bucket policies to restrict access to all accounts.
Attempts:
2 left
💡 Hint
Think about how to limit encryption key usage and S3 access to only authorized roles.