diff --git a/internal/command/jsonstate/state.go b/internal/command/jsonstate/state.go
index 4bb2238073..5cd4793d02 100644
--- a/internal/command/jsonstate/state.go
+++ b/internal/command/jsonstate/state.go
@@ -398,7 +398,11 @@ func marshalResources(resources map[string]*states.Resource, module addrs.Module
 
 				current.AttributeValues = marshalAttributeValues(riObj.Value)
 
-				s := SensitiveAsBool(riObj.Value)
+				value, marks := riObj.Value.UnmarkDeepWithPaths()
+				if schema.ContainsSensitive() {
+					marks = append(marks, schema.ValueMarks(value, nil)...)
+				}
+				s := SensitiveAsBool(value.MarkWithPaths(marks))
 				v, err := ctyjson.Marshal(s, s.Type())
 				if err != nil {
 					return nil, err
@@ -445,7 +449,11 @@ func marshalResources(resources map[string]*states.Resource, module addrs.Module
 
 				deposed.AttributeValues = marshalAttributeValues(riObj.Value)
 
-				s := SensitiveAsBool(riObj.Value)
+				value, marks := riObj.Value.UnmarkDeepWithPaths()
+				if schema.ContainsSensitive() {
+					marks = append(marks, schema.ValueMarks(value, nil)...)
+				}
+				s := SensitiveAsBool(value.MarkWithPaths(marks))
 				v, err := ctyjson.Marshal(s, s.Type())
 				if err != nil {
 					return nil, err
diff --git a/internal/command/jsonstate/state_test.go b/internal/command/jsonstate/state_test.go
index 8fc00a7e29..60b234185c 100644
--- a/internal/command/jsonstate/state_test.go
+++ b/internal/command/jsonstate/state_test.go
@@ -226,7 +226,49 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
+				},
+			},
+			false,
+		},
+		"single resource_with_sensitive": {
+			map[string]*states.Resource{
+				"test_thing.baz": {
+					Addr: addrs.AbsResource{
+						Resource: addrs.Resource{
+							Mode: addrs.ManagedResourceMode,
+							Type: "test_thing",
+							Name: "bar",
+						},
+					},
+					Instances: map[addrs.InstanceKey]*states.ResourceInstance{
+						addrs.NoKey: {
+							Current: &states.ResourceInstanceObjectSrc{
+								Status:    states.ObjectReady,
+								AttrsJSON: []byte(`{"woozles":"confuzles","foozles":"sensuzles"}`),
+							},
+						},
+					},
+					ProviderConfig: addrs.AbsProviderConfig{
+						Provider: addrs.NewDefaultProvider("test"),
+						Module:   addrs.RootModule,
+					},
+				},
+			},
+			testSchemas(),
+			[]Resource{
+				{
+					Address:      "test_thing.bar",
+					Mode:         "managed",
+					Type:         "test_thing",
+					Name:         "bar",
+					Index:        nil,
+					ProviderName: "registry.terraform.io/hashicorp/test",
+					AttributeValues: AttributeValues{
+						"foozles": json.RawMessage(`"sensuzles"`),
+						"woozles": json.RawMessage(`"confuzles"`),
+					},
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@@ -343,7 +385,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@@ -385,7 +427,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@@ -430,7 +472,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
@@ -478,7 +520,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 				{
 					Address:      "test_thing.bar",
@@ -492,7 +534,7 @@ func TestMarshalResources(t *testing.T) {
 						"foozles": json.RawMessage(`null`),
 						"woozles": json.RawMessage(`"confuzles"`),
 					},
-					SensitiveValues: json.RawMessage("{}"),
+					SensitiveValues: json.RawMessage("{\"foozles\":true}"),
 				},
 			},
 			false,
diff --git a/internal/command/testdata/show-json/conditions/output-refresh-only.json b/internal/command/testdata/show-json/conditions/output-refresh-only.json
index 291bbd773e..7b1845f1d7 100644
--- a/internal/command/testdata/show-json/conditions/output-refresh-only.json
+++ b/internal/command/testdata/show-json/conditions/output-refresh-only.json
@@ -56,7 +56,9 @@
               "id": "placeheld",
               "password": null
             },
-            "sensitive_values": {}
+            "sensitive_values": {
+              "password": true
+            }
           },
           {
             "address": "test_instance.foo",
@@ -70,7 +72,9 @@
               "id": "placeholder",
               "password": null
             },
-            "sensitive_values": {}
+            "sensitive_values": {
+              "password": true
+            }
           }
         ]
       }