Yes it is just encryption at rest and their API access mechanisms automatically apply the encrypt or decrypt action on your behalf. If your access is leaky encryption doesnt buy you anything.
I take special offense to teams who store Terraform state in S3 and claim "it's encrypted" when it is so easy for other users in the same AWS account can easily access the buckets contents.
GCS is slightly more secure but you really need client side encryption to be safest.
May I ask what is the proper way to store Terraform state. We are currently testing out Terraform at my job and it just uses a s3 bucket with exception turned on. Thanks
Oh we do, too. My beef with it is how easy it is for a user on the account to go and read your state due to a lax IAM or bucket policy.
My advice: check and make sure your bucket policy you use for the state has an explicit deny (resource *, principal *) and then you explicitly allow only the user / role that requires access to the TF state.
Things to watch out for are providers that store sensitive info in your state. For example, if you use Vault and you read a secret out of Vault with Terraform then the secret will be saved in your Terraform state which, painting with broad strokes, largely invalidates the purpose of Vault. Lots of providers do this, some are getting better about not requiring sensitive info to be saved in the state or included in the config.
I take special offense to teams who store Terraform state in S3 and claim "it's encrypted" when it is so easy for other users in the same AWS account can easily access the buckets contents.
GCS is slightly more secure but you really need client side encryption to be safest.