diff --git a/aws/resource_aws_vpn_connection.go b/aws/resource_aws_vpn_connection.go
index 16748cde6049..adc9eeef76a4 100644
--- a/aws/resource_aws_vpn_connection.go
+++ b/aws/resource_aws_vpn_connection.go
@@ -119,8 +119,9 @@ func resourceAwsVpnConnection() *schema.Resource {
 			},
 
 			"tunnel1_preshared_key": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:      schema.TypeString,
+				Sensitive: true,
+				Computed:  true,
 			},
 			"tunnel1_bgp_asn": {
 				Type:     schema.TypeString,
@@ -146,8 +147,9 @@ func resourceAwsVpnConnection() *schema.Resource {
 			},
 
 			"tunnel2_preshared_key": {
-				Type:     schema.TypeString,
-				Computed: true,
+				Type:      schema.TypeString,
+				Sensitive: true,
+				Computed:  true,
 			},
 			"tunnel2_bgp_asn": {
 				Type:     schema.TypeString,
diff --git a/website/docs/r/vpn_connection.html.markdown b/website/docs/r/vpn_connection.html.markdown
index 89de0b064433..c8f5392ca209 100644
--- a/website/docs/r/vpn_connection.html.markdown
+++ b/website/docs/r/vpn_connection.html.markdown
@@ -11,6 +11,9 @@ description: |-
 
 Provides a VPN connection connected to a VPC. These objects can be connected to customer gateways, and allow you to establish tunnels between your network and the VPC.
 
+~> **Note:** All arguments including `tunnel1_preshared_key` and `tunnel2_preshared_key` will be stored in the raw state as plain-text.
+[Read more about sensitive data in state](/docs/state/sensitive-data.html).
+
 ## Example Usage
 
 ```hcl