Which of the following is a best practice for backend configuration in Terraform?

Keeping credentials out of Terraform configuration and version control is essential. The backend block handles where the state is stored and how it’s accessed, so supplying those credentials from a separate secure location rather than hardcoding them protects secrets, supports rotation, and lets you enforce centralized access controls across environments. This approach keeps the repository clean and reduces the risk of leaking sensitive information if the code is shared or checked in. Embedding credentials directly in the backend configuration is insecure because those values can end up in version control or be exposed to anyone with repo access. Using a backend that stores credentials in the state file is problematic since the state can be read by anyone who can access it, leaking sensitive data. Relying on multiple credentials for redundancy adds unnecessary complexity and doesn’t address the core security concern of keeping secrets out of code and state.