Back to the course
Test yourself

Terraform security and compliance

Final exam · 18 questions · answers explained as you pick
State security & pipeline scanning
9 questions
01Why does Terraform state deserve secret-level handling?
Incorrect — State is JSON text; size is irrelevant to the risk.
Correct — RDS passwords, private keys, and tokens land in state verbatim.
Incorrect — fmt formats HCL and never touches state.
Incorrect — Backends like S3+KMS or TFC encrypt state at rest.
02The safest home for shared state is…
Incorrect — That leaks secrets into history and offers no locking.
Correct — S3+DynamoDB or Terraform Cloud give encryption, locking, and scoped access.
Incorrect — No locking and no encryption guarantee.
Incorrect — Artifacts are broadly readable and unlocked.
03State locking exists to prevent…
Incorrect — Locking says nothing about out-of-band console changes.
Correct — DynamoDB/TFC serialize writers so one apply finishes before the next.
Incorrect — Locking governs concurrency, not secrecy.
Incorrect — Locking is unrelated to performance.
04Least-privilege state access means…
Incorrect — State exposes secrets — broad read access is dangerous.
Incorrect — HCL is not the sensitive artifact; state is.
Correct — Scope the S3 bucket policy or TFC team access tightly.
Incorrect — That removes locking and shared state, making things worse.
05tfsec and checkov analyze your infrastructure by…
Incorrect — That is a CSPM/posture tool, not a static IaC scanner.
Correct — They flag a public bucket in review, not after it ships.
Incorrect — They inspect configuration, not past state.
Incorrect — That is IDS/observability, not IaC scanning.
06Scanning the plan JSON (not just raw HCL) matters because…
Incorrect — Speed is not the reason.
Incorrect — Scanners parse HCL fine; the plan simply reveals more.
Correct — A value hidden behind a var becomes visible in plan JSON, catching more issues.
Incorrect — Skipping modules would reduce coverage, not improve it.
07A scanner suppression should always carry…
Correct — Permanent silent ignores make the scanner meaningless; expiry forces review.
Incorrect — Without an expiry it is never revisited.
Incorrect — Attribution is not a substitute for a justification and expiry.
Incorrect — Legitimate exceptions exist; they just must expire and be justified.
08To shift IaC scanning left effectively, run it…
Incorrect — Too late — bad changes are already merged.
Correct — Pre-commit is advisory; CI blocks the merge.
Incorrect — That catches problems after they ship.
Incorrect — Manual scanning is not repeatable or reliable.
09To keep secrets out of CI logs when running plans…
Incorrect — Raw plan output can echo sensitive values into logs.
Incorrect — That removes a control without solving the leak.
Correct — sensitive = true redacts values, and pipelines should not echo state.
Incorrect — Saved plan files contain secrets too.
9 questions · explanations appear as you answer
Policy, drift & supply chain
9 questions
01OPA/Rego with conftest lets a platform team…
Incorrect — That is Trivy or Grype, not policy-as-code.
Correct — Deny public buckets or 0.0.0.0/0 ingress as executable policy.
Incorrect — That is terraform fmt.
Incorrect — Policy engines evaluate config; they do not encrypt state.
02Policy-as-code beats a written wiki standard because…
Incorrect — Length is not the point.
Correct — A doc gets ignored; a failing conftest check does not.
Incorrect — Policies evolve with the org and cloud.
Incorrect — Policy complements review; it does not replace human judgment.
03Enforcing policy in CI versus at the cloud guardrail layer…
Incorrect — Someone can still change infra out-of-band, bypassing CI.
Correct — SCPs and Config rules back up the pipeline as defense in depth.
Incorrect — That is late and misses non-Kubernetes resources.
Incorrect — Scanners are not a substitute for custom organizational policy.
04Configuration drift is…
Incorrect — Performance is unrelated to drift.
Incorrect — Upgrading the CLI is not drift.
Correct — For example, someone edits a security group directly in the console.
Incorrect — Syntax errors fail validation, not drift detection.
05The standard drift tripwire is…
Incorrect — fmt only formats code; it detects nothing.
Correct — A cron plan pages someone when reality no longer matches code.
Incorrect — That is destructive, not detection.
Incorrect — Not repeatable and easy to skip.
06When drift is detected, the first step is to…
Incorrect — A blind apply can revert a legitimate emergency fix.
Correct — Understand intent before overwriting production.
Incorrect — Unexplained drift can be an incident in progress.
Incorrect — Destroying resources is rarely the right first move.
07Third-party Terraform modules should be treated as…
Incorrect — They run with your cloud credentials and create real resources.
Incorrect — Vetted reuse is valuable; blanket avoidance wastes it.
Correct — Pin to a tag or commit and read what the module provisions.
Incorrect — Floating versions invite supply-chain surprises.
08Pinning a module to a mutable branch like main is risky because…
Incorrect — Performance is not the concern.
Correct — Pin to an immutable tag or commit SHA instead.
Incorrect — They work — that is exactly the problem.
Incorrect — Source ref does not affect state size.
09A private module registry improves supply-chain security by…
Incorrect — That is the opposite of the goal.
Incorrect — You still pin versions from a private registry.
Correct — Teams consume approved building blocks instead of arbitrary GitHub repos.
Incorrect — Registries distribute modules; they do not manage state.
9 questions · explanations appear as you answer