diff --git a/cloudtrail/OFF/README.md b/cloudtrail/OFF/README.md
new file mode 100644
index 0000000..cb413c4
--- /dev/null
+++ b/cloudtrail/OFF/README.md
@@ -0,0 +1,39 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_local"></a> [local](#provider\_local) | n/a |
+| <a name="provider_null"></a> [null](#provider\_null) | n/a |
+| <a name="provider_template"></a> [template](#provider\_template) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudtrail.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail) | resource |
+| [aws_cloudwatch_log_group.inf-cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_iam_policy.cloudtrail_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_kms_key.cloudtrail_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [local_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [null_resource.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_iam_policy_document.cloudtrail_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.cloudtrail_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [template_file.splunk_cloudtrail](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/cloudtrail/OFF/role.tf b/cloudtrail/OFF/role.tf
new file mode 100644
index 0000000..c443d4e
--- /dev/null
+++ b/cloudtrail/OFF/role.tf
@@ -0,0 +1,141 @@
+locals {
+  cloudwatch_prefix     = replace(aws_cloudwatch_log_group.inf-cloudtrail.arn, "/:\\*$/", "")
+  cloudwatch_suffix     = "${var.account_id}_CloudTrail_${var.region}*"
+  cloudwatch_resources  = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+  cloudtrail_policies   = list(data.terraform_remote_state.common.outputs.policy_deny_billing_arn, aws_iam_policy.inf-cloudtrail.arn)
+  cloudtrail_bucket_arn = aws_s3_bucket.cloudtrail.arn
+
+  cloudtrail_role_name   = format("%v%v", local._prefixes["role"], local.role_name)
+  cloudtrail_policy_name = format("%v%v", local._prefixes["policy"], local.role_name)
+
+}
+
+resource "aws_iam_role" "cloudtrail" {
+  name                  = local.cloudtrail_role_name
+  assume_role_policy    = data.aws_iam_policy_document.cloudtrail_assume.json
+  description           = "AWS CloudTrail Role for ${local.region}"
+  force_detach_policies = false
+  max_session_duration  = 3600
+  # add deny billing
+  attached_policies = [aws_iam_policy.cloudtrail_policy.arn]
+  path              = "/"
+
+  tags = merge(
+    local.base_tags,
+    var.tags,
+  )
+}
+
+
+data "aws_iam_policy_document" "cloudtrail_assume" {
+  statement {
+    sid     = "AWSCloudTrailServiceAssumeRole"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["cloudtrail.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "cloudtrail_policy" {
+  name   = local.cloudtrail_policy_name
+  policy = data.aws_iam_policy_document.cloudtrail_cloudwatch.json
+}
+
+
+resource "aws_kms_key" "cloudtrail_key" {
+  description         = "encrypt inf-cloudtrail objects and streams"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.cloudtrail_key.json
+
+  tags = merge(
+    local.common_tags,
+    map("Name", var.kms_cloudtrail_key)
+  )
+}
+
+data "aws_iam_policy_document" "cloudtrail_cloudwatch" {
+  statement {
+    sid       = "AWSCloudTrailCreateLogStream"
+    effect    = "Allow"
+    actions   = ["logs:CreateLogStream"]
+    resources = [local.cloudwatch_resources]
+  }
+
+  statement {
+    sid       = "AWSCloudTrailPutLogEvents"
+    effect    = "Allow"
+    actions   = ["logs:PutLogEvents"]
+    resources = [local.cloudwatch_resources]
+  }
+}
+
+resource "aws_cloudtrail" "cloudtrail" {
+  name           = "inf-cloudtrail"
+  s3_bucket_name = aws_s3_bucket.cloudtrail.id
+
+  #  s3_key_prefix = 
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_log_file_validation    = true
+  enable_logging                = true
+
+  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  sns_topic_name             = aws_sns_topic.cloudtrail.arn
+  cloud_watch_logs_group_arn = aws_cloudwatch_log_group.inf-cloudtrail.arn
+  cloud_watch_logs_role_arn  = aws_iam_role.inf-cloudtrail.arn
+
+  tags = merge(
+    local.common_tags,
+    {
+      "Project Role" = local.project_role["inf"]
+    },
+    map("Name", "inf-cloudtrail-cloudwatch"),
+  )
+}
+
+resource "aws_cloudwatch_log_group" "inf-cloudtrail" {
+  name = "inf-cloudtrail"
+
+  #  kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+  retention_in_days = 7
+
+  tags = merge(
+    local.common_tags,
+    map("Name", "inf-cloudtrail-cloudwatch-log"),
+  )
+}
+
+## # add this later after creating additional buckets for applications
+## # or, create an app-specific bucket for the cloudtrail logs
+## resource "aws_cloudtrail" "inf-cloudtrail-s3" {
+##   name           = "inf-cloudtrail-s3"
+##   s3_bucket_name = aws_s3_bucket.cloudtrail.id
+##   s3_key_prefix = "inf-s3"
+## 
+##   include_global_service_events = true
+##   is_multi_region_trail         = true
+##   enable_log_file_validation    = true
+##   enable_logging                = true
+## 
+##   kms_key_id                 = aws_kms_key.cloudtrail_key.arn
+## 
+##   tags = merge(
+##     local.common_tags,
+##     map("Name", "inf-cloudtrail-s3"),
+##   )
+## 
+##   event_selector { 
+##     read_write_type = "All"
+##     include_management_events = true
+## 
+##     data_resource {
+##       type = "AWS::S3::Object"
+##       values = [ "${aws_s3_bucket.edl-poc-dl-versioned.arn}/" ]
+##     }
+##   }
+## }
+## 
diff --git a/cloudtrail/main.tf b/cloudtrail/main.tf
index 31682eb..06211a0 100644
--- a/cloudtrail/main.tf
+++ b/cloudtrail/main.tf
@@ -136,6 +136,7 @@ locals {
 
   _name          = var.name == null ? format("%v-%v", lookup(local._defaults["cloudtrail"], "name"), local.region) : var.name
   name           = var.enable_organization ? lookup(local._defaults["org_cloudtrail"], "name") : local._name
+  s3_name        = format("%v-s3", local.name)
   kms_key_name   = format("k-%v", local.name)
   kms_admin_root = format("arn:%v:iam::%v:root", local.partition, local.account_id)
   #  kms_admin_roles     = compact(concat([var.kms_admin_root], var.kms_admin_roles))
diff --git a/cloudtrail/s3.tf b/cloudtrail/s3.tf
index 026f5cd..35bb3c9 100644
--- a/cloudtrail/s3.tf
+++ b/cloudtrail/s3.tf
@@ -110,7 +110,7 @@ resource "aws_s3_bucket_notification" "this" {
   bucket = aws_s3_bucket.this.id
 
   topic {
-    topic_arn = var.enable_s3_sns ? aws_sns_topic.cloudtrail_s3.arn : null
+    topic_arn = try(aws_sns_topic.cloudtrail_s3[0].arn, null)
     events    = ["s3:ObjectCreated:*"]
     #    filter_suffix = ".log"
   }
diff --git a/cloudtrail/sns.s3.tf b/cloudtrail/sns.s3.tf
index e11f316..9369edb 100644
--- a/cloudtrail/sns.s3.tf
+++ b/cloudtrail/sns.s3.tf
@@ -1,12 +1,12 @@
 resource "aws_sns_topic" "cloudtrail_s3" {
   count             = var.enable_s3_sns ? 1 : 0
-  name              = local.name
+  name              = local.s3_name
   kms_master_key_id = data.aws_kms_key.incoming_key.id
 
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ Name = local.name }),
+    tomap({ Name = local.s3_name }),
   )
 }
 
@@ -17,7 +17,7 @@ resource "aws_sns_topic_policy" "cloudtrail_s3" {
 }
 
 data "aws_iam_policy_document" "cloudtrail_s3_topic" {
-  policy_id = format("%v_s3_topic", local.name)
+  policy_id = format("%v_s3_topic", local.s3_name)
   statement {
     sid    = "CloudtrailS3SNSPermissions"
     effect = "Allow"
diff --git a/cloudtrail/sqs.s3.tf b/cloudtrail/sqs.s3.tf
index d7241d9..35fb8ec 100644
--- a/cloudtrail/sqs.s3.tf
+++ b/cloudtrail/sqs.s3.tf
@@ -1,7 +1,7 @@
 resource "aws_sqs_queue" "cloudtrail_s3_deadletter" {
   count = var.enable_s3_sqs ? 1 : 0
   # delay=0 retention=4d max=256k visibility=1h
-  name                      = format("%v-deadletter", local.name)
+  name                      = format("%v-deadletter", local.s3_name)
   delay_seconds             = 0
   max_message_size          = 262144
   message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 1 * 86400)
@@ -15,7 +15,7 @@ resource "aws_sqs_queue" "cloudtrail_s3_deadletter" {
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ Name = format("%v-deadletter", local.name) }),
+    tomap({ Name = format("%v-deadletter", local.s3_name) }),
   )
 }
 
@@ -47,7 +47,7 @@ data "aws_iam_policy_document" "cloudtrail_s3_deadletter" {
 resource "aws_sqs_queue" "cloudtrail_s3" {
   count = var.enable_s3_sqs ? 1 : 0
   # delay=0 retention=7d max=256k visibity=2h
-  name                      = local.name
+  name                      = local.s3_name
   delay_seconds             = 0
   max_message_size          = 262144
   message_retention_seconds = lookup(local._defaults["sqs_deadletter"], "message_retention_seconds", 7 * 86400)
@@ -66,7 +66,7 @@ resource "aws_sqs_queue" "cloudtrail_s3" {
   tags = merge(
     local.base_tags,
     var.tags,
-    tomap({ Name = local.name }),
+    tomap({ Name = local.s3_name }),
   )
 }