diff --git a/s3-cloudfront.cfhighlander.rb b/s3-cloudfront.cfhighlander.rb
index a8bb1ab..f07d80b 100644
--- a/s3-cloudfront.cfhighlander.rb
+++ b/s3-cloudfront.cfhighlander.rb
@@ -6,6 +6,10 @@
     ComponentParam 'EnvironmentName', 'dev', isGlobal: true
     ComponentParam 'EnvironmentType', 'development', allowedValues: ['development','production'], isGlobal: true
     ComponentParam 'DnsDomain', isGlobal: true
+    if enable_s3_logging
+      ComponentParam 'LogFilePrefix', ''
+      ComponentParam 'AccessLogsBucket'
+    end
   end
 
   Component name: cloudfront_component_name, template: 'cloudfront@master.snapshot', render: Inline, config: @config do
diff --git a/s3-cloudfront.cfndsl.rb b/s3-cloudfront.cfndsl.rb
index bfe778b..54a5500 100644
--- a/s3-cloudfront.cfndsl.rb
+++ b/s3-cloudfront.cfndsl.rb
@@ -27,8 +27,18 @@
   end
 
 
+  bucket_encryption = external_parameters.fetch(:bucket_encryption, nil)
+  enable_s3_logging = external_parameters[:enable_s3_logging]
+
+  Condition(:SetLogFilePrefix, FnNot(FnEquals(Ref(:LogFilePrefix), ''))) if enable_s3_logging
+
   S3_Bucket('Bucket') do
     BucketName FnSub(external_parameters[:bucket_name])
+    LoggingConfiguration ({
+      DestinationBucketName: Ref(:AccessLogsBucket),
+      LogFilePrefix: FnIf(:SetLogFilePrefix, Ref(:LogFilePrefix), Ref('AWS::NoValue'))
+    }) if enable_s3_logging
+    BucketEncryption bucket_encryption unless bucket_encryption.nil?
   end
 
   S3_BucketPolicy("BucketPolicy") do
diff --git a/s3-cloudfront.config.yaml b/s3-cloudfront.config.yaml
index 2282468..47c1628 100644
--- a/s3-cloudfront.config.yaml
+++ b/s3-cloudfront.config.yaml
@@ -1,4 +1,5 @@
 bucket_name: frontend.${EnvironmentName}.${DnsDomain}
+enable_s3_logging: false
 cloudfront_component_name: cloudfront
 # bucket_policy:
 #   OpsAccount:
diff --git a/tests/bucket_encryption.test.yaml b/tests/bucket_encryption.test.yaml
new file mode 100644
index 0000000..842a1cc
--- /dev/null
+++ b/tests/bucket_encryption.test.yaml
@@ -0,0 +1,13 @@
+test_metadata:
+  type: config
+  name: Bucket and encryption
+  description: Create bucket with encryption
+
+bucket_name: frontend.${EnvironmentName}.${DnsDomain}
+enable_s3_logging: true
+
+bucket_encryption:
+  ServerSideEncryptionConfiguration:
+    -
+      ServerSideEncryptionByDefault:
+        SSEAlgorithm: AES256
\ No newline at end of file