diff --git a/aws/cloudtrail/README.md b/aws/cloudtrail/README.md
index fedc4bc..1143dfc 100644
--- a/aws/cloudtrail/README.md
+++ b/aws/cloudtrail/README.md
@@ -1,3 +1,7 @@
+# Deprecation Notice
+
+This module is deprecated. Use https://registry.terraform.io/modules/silinternational/cloudtrail/aws/latest instead.
+
 # aws/cloudtrail - CloudTrail
 This module is used to set up CloudTrail logging for your AWS account.
 
@@ -5,6 +9,7 @@ This module is used to set up CloudTrail logging for your AWS account.
 
  - Create S3 bucket for CloudTrail logs
  - Create IAM user with read-only access to CloudTrail S3 bucket
+ - (Optional:) Create an Access Key and Secret for that IAM user
  - Enable CloudTrail logging
 
 ## Required Inputs
@@ -15,10 +20,12 @@ This module is used to set up CloudTrail logging for your AWS account.
 
 - `cloudtrail_name` - The name for your Trail in AWS CloudTrail. Default: `"aws-account-cloudtrail"`
 - `is_multi_region_trail` - Whether the trail is created in the current region or in all regions. Default: `false`
+- `create_access_key` - Whether to create an Access Key/Secret for the created IAM user. Default: `false`
 
 ## Outputs
 
-_none_
+- `s3_access_key_id` - The Access Key ID for the IAM user that has access to the S3 bucket, if requested.
+- `s3_access_key_secret` - The Access Key Secret for the IAM user that has access to the S3 bucket, if requested.
 
 ## Example Usage
 
diff --git a/aws/cloudtrail/main.tf b/aws/cloudtrail/main.tf
index ef6d625..2219c5b 100644
--- a/aws/cloudtrail/main.tf
+++ b/aws/cloudtrail/main.tf
@@ -65,6 +65,11 @@ resource "aws_iam_user_policy" "cloudtrail-s3" {
   })
 }
 
+resource "aws_iam_access_key" "cloudtrail-s3" {
+  count = var.create_access_key ? 1 : 0
+  user  = aws_iam_user.cloudtrail-s3.name
+}
+
 resource "aws_cloudtrail" "cloudtrail" {
   count                         = 1
   name                          = var.cloudtrail_name
diff --git a/aws/cloudtrail/outputs.tf b/aws/cloudtrail/outputs.tf
new file mode 100644
index 0000000..bfb484f
--- /dev/null
+++ b/aws/cloudtrail/outputs.tf
@@ -0,0 +1,10 @@
+output "s3_access_key_id" {
+  value       = one(aws_iam_access_key.cloudtrail-s3[*].id)
+  description = "The (optional) Access Key ID for the IAM user"
+}
+
+output "s3_access_key_secret" {
+  value       = one(aws_iam_access_key.cloudtrail-s3[*].secret)
+  sensitive   = true
+  description = "The (optional) Access Key Secret for the IAM user"
+}
diff --git a/aws/cloudtrail/vars.tf b/aws/cloudtrail/vars.tf
index 34b699d..e3081ad 100644
--- a/aws/cloudtrail/vars.tf
+++ b/aws/cloudtrail/vars.tf
@@ -4,6 +4,12 @@ variable "cloudtrail_name" {
   type        = string
 }
 
+variable "create_access_key" {
+  description = "Whether to create an Access Key/Secret for the created IAM user"
+  default     = false
+  type        = bool
+}
+
 variable "is_multi_region_trail" {
   description = "Whether the trail is created in the current region or in all regions"
   type        = bool