An organization uses Ansible to automate server configuration for a hybrid cloud environment. The security team requires that sensitive data such as API keys and passwords are not exposed in the Ansible playbooks or logs. The Ansible control node is shared among several administrators. What is the best approach to protect these secrets?
Ansible Vault encrypts data at rest; only authorized users with the vault password can decrypt.
Why this answer
Ansible Vault encrypts sensitive data within playbooks. Option A is correct. Plaintext (B) is insecure.
Environment variables (C) can be logged. Removing secrets (D) is impractical.