Description
The Terraform configuration in lesson-02 does not configure remote state with encryption, potentially exposing infrastructure secrets if state files are stored remotely.
Location
lesson-02/demo-04-zero-trust/terraform/main.tf
Missing Configuration
The Terraform configuration lacks a backend block with encryption settings:
terraform {
required_version = ">= 1.0.0"
# Missing: backend with encryption
}Risk
- Severity: Medium
- CWE: CWE-312 (Cleartext Storage of Sensitive Information)
Sensitive Data at Risk
Terraform state files may contain:
- Database passwords
- API keys
- Private IP addresses
- Resource ARNs and IDs
Remediation
Add backend configuration with encryption:
terraform {
backend "s3" {
bucket = "terraform-state-bucket"
key = "zero-trust/terraform.tfstate"
region = "us-east-1"
encrypt = true
kms_key_id = "alias/terraform-state-key"
dynamodb_table = "terraform-locks"
}
}Note
For training purposes, consider adding this as a "secure vs insecure" comparison in the lesson materials.
Description
The Terraform configuration in lesson-02 does not configure remote state with encryption, potentially exposing infrastructure secrets if state files are stored remotely.
Location
lesson-02/demo-04-zero-trust/terraform/main.tfMissing Configuration
The Terraform configuration lacks a backend block with encryption settings:
Risk
Sensitive Data at Risk
Terraform state files may contain:
Remediation
Add backend configuration with encryption:
Note
For training purposes, consider adding this as a "secure vs insecure" comparison in the lesson materials.