How can you prevent sensitive data from being exposed in state files?

Using the 'sensitive = true' attribute in resource definitions is the correct approach for preventing sensitive data from being exposed in state files. When this attribute is set on a resource or output, Terraform marks that data as sensitive. This means that when the state is output or displayed, the sensitive information will be redacted, preventing it from being shown in the Terraform console output, logs, and state files.

This feature is particularly important in shared environments or when using remote state storage, as it reduces the risk of unintentional exposure of sensitive data like passwords, access keys, or secret tokens. By clearly marking data as sensitive, you ensure that even if someone has access to the state file, they won’t see sensitive values unless they intentionally access them through other means.

In contrast, while encrypting the state file manually may enhance security, it does not directly address how sensitive data is managed within the Terraform workflow. Encrypting a state file is an action that can be complemented by marking sensitive attributes but doesn't inherently prevent exposure during operations.

Placing state files in a secure directory can provide an additional layer of protection, yet it does not mitigate the risk of sensitive data being revealed if the directory is accessed or if the state file is read by individuals with