Your organization requires that new AWS S3 buckets be private and encrypted at rest. How can Terraform Enterprise automatically enforce this security control before changes are applied?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the HashiCorp Terraform Associate Exam. Utilize flashcards and multiple-choice questions with detailed hints and explanations. Boost your confidence and be ready for success!

Multiple Choice

Your organization requires that new AWS S3 buckets be private and encrypted at rest. How can Terraform Enterprise automatically enforce this security control before changes are applied?

Explanation:
Enforcing guardrails with policy as code is what ensures security controls are automatically applied before changes go live. In Terraform Enterprise, Sentinel rules are evaluated as part of the run and can veto any plan that would create or modify resources not meeting your standards. Here, a Sentinel policy can inspect the planned AWS S3 bucket configurations and require that buckets are private (proper access control) and encrypted at rest (server-side encryption configured, such as SSE-S3 or SSE-KMS). If the plan would create or alter a bucket without these settings, the policy fails and prevents the apply from running, enforcing the control automatically. Other options don’t provide the same pre-apply enforcement. Adding variables in workspaces relies on manual discipline and can be bypassed or forgotten. A module with proper settings helps, but it’s not a universal gate across all bucket resources or accounts. Auditing with a vulnerability scanner finds issues after resources exist, not before changes are applied, so it won’t automatically stop noncompliant changes at plan time.

Enforcing guardrails with policy as code is what ensures security controls are automatically applied before changes go live. In Terraform Enterprise, Sentinel rules are evaluated as part of the run and can veto any plan that would create or modify resources not meeting your standards. Here, a Sentinel policy can inspect the planned AWS S3 bucket configurations and require that buckets are private (proper access control) and encrypted at rest (server-side encryption configured, such as SSE-S3 or SSE-KMS). If the plan would create or alter a bucket without these settings, the policy fails and prevents the apply from running, enforcing the control automatically.

Other options don’t provide the same pre-apply enforcement. Adding variables in workspaces relies on manual discipline and can be bypassed or forgotten. A module with proper settings helps, but it’s not a universal gate across all bucket resources or accounts. Auditing with a vulnerability scanner finds issues after resources exist, not before changes are applied, so it won’t automatically stop noncompliant changes at plan time.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy