diff --git a/internal/backend/remote-state/s3/backend.go b/internal/backend/remote-state/s3/backend.go
index 940553b50b..777edc548a 100644
--- a/internal/backend/remote-state/s3/backend.go
+++ b/internal/backend/remote-state/s3/backend.go
@@ -266,6 +266,12 @@ func (b *Backend) PrepareConfig(obj cty.Value) (cty.Value, tfdiags.Diagnostics)
 				encryptionKeyConflictError,
 				cty.Path{},
 			))
+		} else if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
+			diags = diags.Append(tfdiags.Sourceless(
+				tfdiags.Error,
+				"Invalid encryption configuration",
+				encryptionKeyConflictEnvVarError,
+			))
 		}
 	}
 
@@ -334,23 +340,21 @@ func (b *Backend) Configure(obj cty.Value) tfdiags.Diagnostics {
 				))
 			}
 		}
-	} else {
-		if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
-			if len(customerKey) != 44 {
+	} else if customerKey := os.Getenv("AWS_SSE_CUSTOMER_KEY"); customerKey != "" {
+		if len(customerKey) != 44 {
+			diags = diags.Append(tfdiags.Sourceless(
+				tfdiags.Error,
+				"Invalid AWS_SSE_CUSTOMER_KEY value",
+				`The environment variable "AWS_SSE_CUSTOMER_KEY" must be 44 characters in length`,
+			))
+		} else {
+			var err error
+			if b.customerEncryptionKey, err = base64.StdEncoding.DecodeString(customerKey); err != nil {
 				diags = diags.Append(tfdiags.Sourceless(
 					tfdiags.Error,
 					"Invalid AWS_SSE_CUSTOMER_KEY value",
-					"AWS_SSE_CUSTOMER_KEY must be 44 characters in length",
+					fmt.Sprintf(`The environment variable "AWS_SSE_CUSTOMER_KEY" must be base64 encoded: %s`, err),
 				))
-			} else {
-				var err error
-				if b.customerEncryptionKey, err = base64.StdEncoding.DecodeString(customerKey); err != nil {
-					diags = diags.Append(tfdiags.Sourceless(
-						tfdiags.Error,
-						"Invalid AWS_SSE_CUSTOMER_KEY value",
-						fmt.Sprintf("AWS_SSE_CUSTOMER_KEY must be base64 encoded: %s", err),
-					))
-				}
 			}
 		}
 	}
@@ -532,6 +536,12 @@ func intAttrDefault(obj cty.Value, name string, def int) int {
 
 const encryptionKeyConflictError = `Only one of "kms_key_id" and "sse_customer_key" can be set.
 
-The kms_key_id is used for encryption with KMS-Managed Keys (SSE-KMS)
-while sse_customer_key is used for encryption with customer-managed keys (SSE-C).
+The "kms_key_id" is used for encryption with KMS-Managed Keys (SSE-KMS)
+while "sse_customer_key" is used for encryption with customer-managed keys (SSE-C).
+Please choose one or the other.`
+
+const encryptionKeyConflictEnvVarError = `Only one of "kms_key_id" and the environment variable "AWS_SSE_CUSTOMER_KEY" can be set.
+
+The "kms_key_id" is used for encryption with KMS-Managed Keys (SSE-KMS)
+while "AWS_SSE_CUSTOMER_KEY" is used for encryption with customer-managed keys (SSE-C).
 Please choose one or the other.`
diff --git a/internal/backend/remote-state/s3/backend_test.go b/internal/backend/remote-state/s3/backend_test.go
index ad57665ea8..adc1038a8a 100644
--- a/internal/backend/remote-state/s3/backend_test.go
+++ b/internal/backend/remote-state/s3/backend_test.go
@@ -584,7 +584,7 @@ func TestBackendConfig_PrepareConfigValidation(t *testing.T) {
 				"bucket":               cty.StringVal("test"),
 				"key":                  cty.StringVal("test"),
 				"region":               cty.StringVal("us-west-2"),
-				"workspace_key_prefix": cty.StringVal("env/"),
+				"workspace_key_prefix": cty.StringVal("env"),
 				"sse_customer_key":     cty.StringVal("1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o="),
 				"kms_key_id":           cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
 			}),
@@ -642,6 +642,19 @@ func TestBackendConfig_PrepareConfigWithEnvVars(t *testing.T) {
 				"AWS_DEFAULT_REGION": "us-west-1",
 			},
 		},
+		"encyrption key conflict": {
+			config: cty.ObjectVal(map[string]cty.Value{
+				"bucket":               cty.StringVal("test"),
+				"key":                  cty.StringVal("test"),
+				"region":               cty.StringVal("us-west-2"),
+				"workspace_key_prefix": cty.StringVal("env"),
+				"kms_key_id":           cty.StringVal("arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"),
+			}),
+			vars: map[string]string{
+				"AWS_SSE_CUSTOMER_KEY": "1hwbcNPGWL+AwDiyGmRidTWAEVmCWMKbEHA+Es8w75o=",
+			},
+			expectedErr: `Only one of "kms_key_id" and the environment variable "AWS_SSE_CUSTOMER_KEY" can be set`,
+		},
 	}
 
 	for name, tc := range cases {
@@ -789,11 +802,11 @@ func TestBackendSSECustomerKeyEnvVar(t *testing.T) {
 	}{
 		"invalid length": {
 			customerKey: "test",
-			expectedErr: `AWS_SSE_CUSTOMER_KEY must be 44 characters in length`,
+			expectedErr: `The environment variable "AWS_SSE_CUSTOMER_KEY" must be 44 characters in length`,
 		},
 		"invalid encoding": {
 			customerKey: "====CT70aTYB2JGff7AjQtwbiLkwH4npICay1PWtmdka",
-			expectedErr: `AWS_SSE_CUSTOMER_KEY must be base64 encoded`,
+			expectedErr: `The environment variable "AWS_SSE_CUSTOMER_KEY" must be base64 encoded`,
 		},
 		"valid": {
 			customerKey: "4Dm1n4rphuFgawxuzY/bEfvLf6rYK0gIjfaDSLlfXNk=",