diff --git a/modules/kms/README.md b/modules/kms/README.md
new file mode 100644
index 0000000..3730ef1
--- /dev/null
+++ b/modules/kms/README.md
@@ -0,0 +1,42 @@
+# cloudwatch-logs-encription
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_alias.alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key_policy) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [kms\_alias\_name](#input\_kms\_alias\_name) | Alias name for the KMS key | `string` | `"cloudwatch-key"` | no |
+| [kms\_key\_cloudwatch](#input\_kms\_key\_cloudwatch) | KMS key policy for CloudWatch logs | `bool` | `true` | no |
+| [kms\_key\_description](#input\_kms\_key\_description) | Description for the KMS key | `string` | `"KMS key for CloudWatch log group encryption"` | no |
+| [kms\_key\_policy](#input\_kms\_key\_policy) | KMS key policy | `any` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key |
+| [kms\_key\_id](#output\_kms\_key\_id) | The ID of the KMS key |
+
diff --git a/modules/kms/data.tf b/modules/kms/data.tf
new file mode 100644
index 0000000..8fc4b38
--- /dev/null
+++ b/modules/kms/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/modules/kms/locals.tf b/modules/kms/locals.tf
new file mode 100644
index 0000000..3e6e8d0
--- /dev/null
+++ b/modules/kms/locals.tf
@@ -0,0 +1,34 @@
+locals {
+ cloudwatch_logs_policy = jsonencode(
+ {
+ Id = "CloudWatch"
+ Statement = [
+ {
+ Action = [
+ "kms:*"
+ ],
+ Effect = "Allow"
+ Principal = {
+ Service = "logs.amazonaws.com"
+ }
+
+ Resource = "*"
+ Sid = "AllowCloudWatchToUseKey"
+ },
+ {
+ Action = [
+ "kms:*"
+ ],
+ Effect = "Allow"
+ Principal = {
+ AWS = data.aws_caller_identity.current.account_id
+ }
+
+ Resource = "*"
+ Sid = "AllowAccountManageKey"
+ }
+ ]
+ Version = "2012-10-17"
+ }
+ )
+}
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
new file mode 100644
index 0000000..4716736
--- /dev/null
+++ b/modules/kms/main.tf
@@ -0,0 +1,15 @@
+resource "aws_kms_key" "this" {
+ description = var.kms_key_description
+ enable_key_rotation = true
+}
+
+resource "aws_kms_alias" "alias" {
+ name = "alias/${var.kms_alias_name}"
+ target_key_id = aws_kms_key.this.id
+}
+
+
+resource "aws_kms_key_policy" "this" {
+ key_id = aws_kms_key.this.id
+ policy = var.kms_key_cloudwatch ? local.cloudwatch_logs_policy : var.kms_key_policy
+}
diff --git a/modules/kms/output.tf b/modules/kms/output.tf
new file mode 100644
index 0000000..0e7e1f9
--- /dev/null
+++ b/modules/kms/output.tf
@@ -0,0 +1,9 @@
+output "kms_key_id" {
+ description = "The ID of the KMS key"
+ value = aws_kms_key.this.id
+}
+
+output "kms_key_arn" {
+ description = "The ARN of the KMS key"
+ value = aws_kms_key.this.arn
+}
diff --git a/modules/kms/tests/basic/README.md b/modules/kms/tests/basic/README.md
new file mode 100644
index 0000000..b2cde85
--- /dev/null
+++ b/modules/kms/tests/basic/README.md
@@ -0,0 +1,29 @@
+# basic
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [kms\_for\_cloudwatch](#module\_kms\_for\_cloudwatch) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
diff --git a/modules/kms/tests/basic/main.tf b/modules/kms/tests/basic/main.tf
new file mode 100644
index 0000000..5925d50
--- /dev/null
+++ b/modules/kms/tests/basic/main.tf
@@ -0,0 +1,6 @@
+module "kms_for_cloudwatch" {
+ source = "../../"
+
+ kms_key_description = "Encryption key for example log group"
+ kms_alias_name = "example-log-group-key"
+}
diff --git a/modules/kms/tests/policy/README.md b/modules/kms/tests/policy/README.md
new file mode 100644
index 0000000..af8d99c
--- /dev/null
+++ b/modules/kms/tests/policy/README.md
@@ -0,0 +1,29 @@
+# policy
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [kms\_for\_cloudwatch](#module\_kms\_for\_cloudwatch) | ../../ | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+
diff --git a/modules/kms/tests/policy/main.tf b/modules/kms/tests/policy/main.tf
new file mode 100644
index 0000000..3c0bf83
--- /dev/null
+++ b/modules/kms/tests/policy/main.tf
@@ -0,0 +1,27 @@
+module "kms_for_cloudwatch" {
+ source = "../../"
+
+ kms_key_description = "Encryption key for example log group"
+ kms_alias_name = "example-log-group-key"
+ kms_key_cloudwatch = false
+ kms_key_policy = jsonencode(
+ {
+ Id = "CloudWatch"
+ Statement = [
+ {
+ Action = [
+ "kms:*"
+ ],
+ Effect = "Allow"
+ Principal = {
+ Service = "logs.amazonaws.com"
+ }
+
+ Resource = "*"
+ Sid = "AllowCloudWatchToUseKey"
+ }
+ ]
+ Version = "2012-10-17"
+ }
+ )
+}
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
new file mode 100644
index 0000000..65ee32e
--- /dev/null
+++ b/modules/kms/variables.tf
@@ -0,0 +1,23 @@
+variable "kms_key_description" {
+ description = "Description for the KMS key"
+ type = string
+ default = "KMS key for CloudWatch log group encryption"
+}
+
+variable "kms_alias_name" {
+ description = "Alias name for the KMS key"
+ type = string
+ default = "cloudwatch-key"
+}
+
+variable "kms_key_cloudwatch" {
+ type = bool
+ default = true
+ description = "KMS key policy for CloudWatch logs"
+}
+
+variable "kms_key_policy" {
+ type = any
+ description = "KMS key policy"
+ default = null
+}