Why does this backend configuration not follow best practices?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the HashiCorp Terraform Associate Exam with quizzes, flashcards, and multiple-choice questions. Each question includes hints and explanations. Boost your confidence and ace your exam!

Multiple Choice

Why does this backend configuration not follow best practices?

Explanation:
Credentials should never be stored in Terraform configuration. Placing sensitive keys or secrets in the backend block means they become part of the codebase, which can be checked into version control, shared with others, or exposed in logs and CI pipelines. That creates a risk that anyone with access to the code can access and potentially modify your remote state. The best approach is to supply credentials through secure external mechanisms. For example, use environment variables (like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), a shared credentials file with a named profile, or an IAM role via instance profiles or CI runners. The backend configuration should focus on non-sensitive details needed to reach the remote state (such as the bucket, region, key, and encryption or locking settings), while credentials are provided by these external, auditable sources. This keeps access to your state secure, makes automation safer, and allows for proper rotation and least-privilege controls. The other options don’t address credential security in the same robust way.

Credentials should never be stored in Terraform configuration. Placing sensitive keys or secrets in the backend block means they become part of the codebase, which can be checked into version control, shared with others, or exposed in logs and CI pipelines. That creates a risk that anyone with access to the code can access and potentially modify your remote state.

The best approach is to supply credentials through secure external mechanisms. For example, use environment variables (like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY), a shared credentials file with a named profile, or an IAM role via instance profiles or CI runners. The backend configuration should focus on non-sensitive details needed to reach the remote state (such as the bucket, region, key, and encryption or locking settings), while credentials are provided by these external, auditable sources.

This keeps access to your state secure, makes automation safer, and allows for proper rotation and least-privilege controls. The other options don’t address credential security in the same robust way.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy