fix: suggestion 1

aristosvo · bendrucker · web-flow · commit 2ea39d5b8dc6 · 2025-04-11T22:09:18.000+03:00
Co-authored-by: Ben Drucker &lt;bvdrucker@gmail.com&gt;
diff --git a/docs/rules/aws_write_only_attributes.md b/docs/rules/aws_write_only_attributes.md
@@ -25,7 +25,9 @@ Warning: [Fixable] "secret_string" is a non-ephemeral attribute, which means thi
 
 ## Why
 
-Saving secrets to state or plan files is a bad practice. It can cause serious security issues. Keeping secrets from these files is possible in most of the cases by using write-only attributes.
+By default, sensitive attributes are still stored in state, just hidden from view in plan output. Other resources are able to refer to these attributes. Current versions of Terraform also include support for write-only arguments, which are not persisted to state. Other resources cannot refer to their values.
+
+Using write-only arguments mitigates the risk of a malicious actor obtaining privileged credentials by accessing Terraform state files directly. Prefer using them over the original sensitive attribute unless you need to refer to it in other blocks, such as a [root `output`](https://developer.hashicorp.com/terraform/language/values/outputs#ephemeral-avoid-storing-values-in-state-or-plan-files), that cannot be ephemeral.
 
 ## How To Fix
 
