Challenge - 5 Problems

🎖️

Terraform State Encryption Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ Configuration

intermediate

2:00remaining

Enable encryption for Terraform state file in AWS S3 backend

You want to store your Terraform state file securely in an AWS S3 bucket. Which backend configuration snippet correctly enables server-side encryption using AWS-managed keys (SSE-S3)?

backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  encrypt = true
}

backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  server_side_encryption = "AES256"
}

backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  server_side_encryption = "aws:kms"
}

backend "s3" {
  bucket = "my-terraform-state"
  key    = "state.tfstate"
  region = "us-east-1"
  encryption = "AES256"
}

Attempts:

2 left

❓ Architecture

intermediate

2:00remaining

Choosing encryption method for Terraform state in Azure Blob Storage

You are configuring Terraform state storage in Azure Blob Storage. Which option correctly describes how to enable encryption at rest for the state file?

AEnable 'use_azuread_auth' in backend and rely on Azure Blob Storage's default encryption at rest.

BSet 'encrypt = true' in the backend configuration to enable client-side encryption.

CAdd 'server_side_encryption = "AES256"' in the backend configuration.

DConfigure a customer-managed key in Azure Key Vault and link it to the storage account for server-side encryption.

Attempts:

2 left

❓ security

advanced

2:00remaining

Impact of disabling encryption on Terraform state file security

What is the most significant risk if you disable encryption for your Terraform state file stored in a remote backend?

AThe state file may become corrupted during Terraform operations.

BSensitive data in the state file can be exposed to unauthorized users if the storage is compromised.

CTerraform will fail to initialize the backend without encryption enabled.

DThe state file size will increase significantly without encryption.

Attempts:

2 left

❓ service_behavior

advanced

2:00remaining

Behavior of Terraform when state file encryption key is rotated in AWS KMS

If you use AWS KMS customer-managed keys (CMK) for encrypting your Terraform state file in S3 and rotate the CMK, what happens when Terraform tries to access the state file?

ATerraform can still decrypt the state file transparently because AWS KMS supports key rotation without changing the key ID.

BTerraform will ignore encryption and access the state file in plaintext.

CTerraform will create a new state file encrypted with the new key but cannot read the old one.

DTerraform will fail to decrypt the state file until the backend configuration is updated with the new key ID.

Attempts:

2 left

✅ Best Practice

expert

3:00remaining

Best practice for managing Terraform state encryption keys in a multi-team environment

In a large organization with multiple teams managing infrastructure via Terraform, what is the best practice for managing encryption keys used for Terraform state files stored in a centralized backend?

AUse a single shared customer-managed key (CMK) with broad access permissions for all teams to simplify management.

BUse default provider-managed keys without any access restrictions.

CUse individual customer-managed keys per team with strict access controls and audit logging enabled.

DDisable encryption and rely on network security to protect the state files.

Attempts:

2 left