diff --git a/config/README.md b/config/README.md
index 6f27800..e080a35 100644
--- a/config/README.md
+++ b/config/README.md
@@ -2,6 +2,7 @@
 
 This set up the needed components for config per region including:
 
+* S3 Bucket
 * Role
 * Policy
 * SNS Topic
@@ -15,8 +16,6 @@ Here is a simple example, the one most commonly expected to be used.
 ```hcl
 module "config" {
   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//config"
-
-  bucket_id = module.config_s3.config_bucket_id
   account_alias = "ma5-gov"
 
   ## optional
@@ -54,6 +53,8 @@ No modules.
 | [aws_iam_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_s3_bucket.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
 | [aws_sns_topic.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource |
 | [aws_sns_topic_policy.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_policy) | resource |
 | [aws_sns_topic_subscription.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource |
@@ -72,7 +73,6 @@ No modules.
 | [aws_iam_policy_document.config_sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.config_sqs_deadletter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
-| [aws_s3_bucket.config_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 | [template_file.splunk](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
 ## Inputs
diff --git a/config/main.tf b/config/main.tf
index 8ff4fa5..3288577 100644
--- a/config/main.tf
+++ b/config/main.tf
@@ -3,6 +3,7 @@
 * 
 * This set up the needed components for config per region including:
 * 
+* * S3 Bucket
 * * Role
 * * Policy
 * * SNS Topic
@@ -16,8 +17,6 @@
 * ```hcl
 * module "config" {
 *   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//config"
-*
-*   bucket_id = module.config_s3.config_bucket_id
 *   account_alias = "ma5-gov"
 *
 *   ## optional
@@ -36,11 +35,12 @@ locals {
 
   # inf-config-{region}
   name        = var.name != "" ? var.name : format("%v-%v", lookup(local._defaults["config"], "name"), local.config_region)
+  bucket_name = local.name
   role_name   = format("%v%v", local._prefixes["role"], local.name)
   policy_name = format("%v%v", local._prefixes["policy"], local.name)
 
-  bucket_id  = var.bucket_id
-  bucket_arn = data.aws_s3_bucket.config_s3.arn
+  bucket_id  = aws_s3_bucket.config.id
+  bucket_arn = aws_s3_bucket.config.arn
 
   base_tags = {
     "Organization"          = "census:aditcio:csvd"
@@ -48,379 +48,3 @@ locals {
     "boc:created_by"        = "terraform"
   }
 }
-
-data "aws_s3_bucket" "config_s3" {
-  bucket = local.bucket_id
-}
-
-## #---
-## # config: role, policies
-## #---
-## locals {
-##   config_bucket_arn  = "arn:aws-us-gov:s3:::config-bucket-107742151971"
-##   config_bucket_name = element(reverse(split(":", local.config_bucket_arn)), 0)
-##   config_policies = [
-##     "arn:${data.aws_arn.current.partition}:iam::aws:policy/service-role/AWSConfigRole",
-##     aws_iam_policy.config.arn,
-##   ]
-## }
-## 
-## resource "aws_iam_role" "config" {
-##   name = local.role_name
-## 
-##   assume_role_policy    = data.aws_iam_policy_document.config_assume.json
-##   description           = "AWS Config Role for ${local.config_region}"
-##   force_detach_policies = false
-##   max_session_duration  = 3600
-##   path                  = "/service-role/"
-## 
-##   tags = merge(
-##     local.base_tags,
-##     var.tags,
-##     tomap({"Name" = local.role_name}),
-##   )
-## }
-## 
-## #---
-## # sts config assume
-## #---
-## data "aws_iam_policy_document" "config_assume" {
-##   statement {
-##     sid     = "AWSConfigServiceAssumeRole"
-##     effect  = "Allow"
-##     actions = ["sts:AssumeRole"]
-## 
-##     principals {
-##       type        = "Service"
-##       identifiers = ["config.amazonaws.com"]
-##     }
-##   }
-## }
-## 
-## #---
-## # config policy
-## #---
-## data "aws_iam_policy_document" "config" {
-##   statement {
-##     sid     = "AWSConfigAllowBucketPutObject"
-##     effect  = "Allow"
-##     actions = ["s3:PutObject*"]
-##     #    resources = ["${local.config_bucket_arn}/*"]
-##     resources = ["${local.config_bucket_arn}/AWSLogs/${var.account_id}/*"]
-## 
-##     condition {
-##       test     = "StringLike"
-##       variable = "s3:x-amz-acl"
-##       values   = ["bucket-owner-full-control"]
-##     }
-##   }
-## 
-##   statement {
-##     sid       = "AWSConfigAllowBucketACL"
-##     effect    = "Allow"
-##     actions   = ["s3:GetBucketAcl"]
-##     resources = [local.config_bucket_arn]
-##   }
-## 
-##   statement {
-##     sid     = "AWSConfigPublishTopic"
-##     effect  = "Allow"
-##     actions = ["sns:Publish"]
-##     resources = [
-##       aws_sns_topic.config.arn
-##     ]
-##   }
-## }
-## 
-## #---
-## # policy: config 
-## #---
-## resource "aws_iam_policy" "config" {
-##   name        = "p-inf-config-${local.region}"
-##   path        = "/service-role/"
-##   description = "Policy for AWS Config for ${local.region}"
-##   policy      = data.aws_iam_policy_document.config.json
-## }
-## 
-## resource "aws_iam_role_policy_attachment" "config" {
-##   count      = length(local.config_policies)
-##   role       = aws_iam_role.config.name
-##   policy_arn = local.config_policies[count.index]
-## }
-## 
-## ## #--
-## ## # much of this is per region, so we list through all the regions in
-## ## # which we are doing this
-## ## # only allows for 1 recorder
-## ## #---
-## resource "aws_config_configuration_recorder" "config" {
-##   name     = "inf-config-${local.region}"
-##   role_arn = aws_iam_role.config.arn
-## 
-##   recording_group {
-##     include_global_resource_types = false
-##     all_supported                 = true
-##   }
-## }
-## 
-## resource "aws_config_configuration_recorder_status" "config" {
-##   name       = aws_config_configuration_recorder.config.name
-##   is_enabled = true
-##   depends_on = [aws_config_delivery_channel.config]
-## }
-## 
-## resource "aws_config_delivery_channel" "config" {
-##   name           = "inf-config-${local.region}"
-##   s3_bucket_name = local.config_bucket_name
-##   sns_topic_arn  = aws_sns_topic.config.arn
-## 
-##   snapshot_delivery_properties {
-##     delivery_frequency = "Six_Hours"
-##   }
-## 
-##   depends_on = [aws_config_configuration_recorder.config]
-## }
-## 
-## ## #---
-## ## # config rules
-## ## #---
-## ## locals {
-## ##   crules = {
-## ##     "vpc-flowlogs" = "VPC_FLOW_LOGS_ENABLED"
-## ##     "mfa-console"  = "MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS"
-## ## # this requires a parameter
-## ## #    "iam-group-check" = "IAM_USER_GROUP_MEMBERSHIP_CHECK"
-## ##     "encrypted-volumes" = "ENCRYPTED_VOLUMES"
-## ##     "rds-encrypted" = "RDS_STORAGE_ENCRYPTED"
-## ##   }
-## ##   crules_keys = keys(local.crules)
-## ##   crules_values = values(local.crules)
-## ## }
-## ## 
-## ## resource "aws_config_config_rule" "config_rules" {
-## ##   count = length(local.crules_keys)
-## ##   name = "inf-config_rule-${local.crules_keys[count.index]}"
-## ##   source {
-## ##     owner = "AWS"
-## ##     source_identifier = local.crules_values[count.index]
-## ##   }
-## ##   depends_on = [aws_config_configuration_recorder.config]
-## ## }
-## 
-## #---
-## # sns: config 
-## #---
-## data "aws_iam_policy_document" "config_sns" {
-##   statement {
-##     sid     = "AWSConfigBucketPolicy"
-##     effect  = "Allow"
-##     actions = ["s3:*"]
-## 
-##     resources = [
-##       local.config_bucket_arn,
-##       "${local.config_bucket_arn}/*",
-##     ]
-##   }
-##   statement {
-##     sid       = "AWSConfigSNSPublish"
-##     effect    = "Allow"
-##     actions   = ["sns:Publish"]
-##     resources = [aws_sns_topic.config.arn]
-##   }
-## }
-## 
-## resource "aws_iam_role_policy" "config_sns" {
-##   name   = "p-inf-config-${local.region}"
-##   role   = aws_iam_role.config.name
-##   policy = data.aws_iam_policy_document.config_sns.json
-## }
-## 
-## resource "aws_sns_topic" "config" {
-##   name = "inf-config-${local.region}"
-## }
-## 
-## resource "aws_sns_topic_policy" "config" {
-##   arn    = aws_sns_topic.config.arn
-##   policy = data.aws_iam_policy_document.config_sns_topic.json
-## }
-## 
-## data "aws_iam_policy_document" "config_sns_topic" {
-##   policy_id = "inf-config_policy-${local.region}"
-##   statement {
-##     sid       = "AllowSNS"
-##     effect    = "Allow"
-##     resources = [aws_sns_topic.config.arn]
-##     actions = [
-##       "sns:Subscribe",
-##       "sns:SetTopicAttributes",
-##       "sns:RemovePermission",
-##       "sns:Receive",
-##       "sns:Publish",
-##       "sns:ListSubscriptionsByTopic",
-##       "sns:GetTopicAttributes",
-##       "sns:DeleteTopic",
-##       "sns:AddPermission",
-##     ]
-##     principals {
-##       type        = "AWS"
-##       identifiers = ["*"]
-##     }
-##     condition {
-##       test     = "StringEquals"
-##       variable = "AWS:SourceOwner"
-##       values   = [var.account_id]
-##     }
-##   }
-## }
-## 
-## #---
-## # sqs: config (from splunk)
-## #---
-## # one per region we are using
-## resource "aws_sqs_queue" "config_deadletter" {
-##   # delay=0 retention=4d max=256k visibility=1h
-##   name                       = "inf-config-${local.region}-deadletter"
-##   delay_seconds              = 0
-##   max_message_size           = 262144
-##   message_retention_seconds  = 345600
-##   receive_wait_time_seconds  = 15
-##   visibility_timeout_seconds = 3600
-## 
-##   # disable kms, doesn't seem to work with splunk
-##   #  kms_master_key_id = "alias/${var.kms_inf_key}"
-##   #  kms_data_key_reuse_period_seconds = 300
-##   tags = merge(
-##     local.common_tags,
-##     map("Name", "inf-config-${local.region}-deadletter")
-##   )
-## }
-## 
-## resource "aws_sqs_queue_policy" "config_deadletter" {
-##   queue_url = aws_sqs_queue.config_deadletter.id
-##   policy    = data.aws_iam_policy_document.config_sqs_deadletter.json
-## }
-## 
-## data "aws_iam_policy_document" "config_sqs_deadletter" {
-##   policy_id = "SQSDefaultPolicy"
-##   statement {
-##     sid    = "AllowSQSReceiveMessage"
-##     effect = "Allow"
-##     #    actions   = ["SQS:SendMessage"]
-##     actions   = ["SQS:ReceiveMessage"]
-##     resources = [aws_sqs_queue.config_deadletter.arn]
-## 
-##     principals {
-##       type        = "AWS"
-##       identifiers = ["*"]
-##     }
-## 
-##     condition {
-##       test     = "ArnEquals"
-##       variable = "aws:SourceArn"
-##       #      values   = [aws_sns_topic.config.arn]
-##       values = [aws_sqs_queue.config.arn]
-##     }
-##   }
-## }
-## 
-## resource "aws_sqs_queue" "config" {
-##   # delay=0 retention=7d max=256k visibity=2h
-##   name                       = "inf-config-${local.region}"
-##   delay_seconds              = 0
-##   max_message_size           = 262144
-##   message_retention_seconds  = 604800
-##   receive_wait_time_seconds  = 0
-##   visibility_timeout_seconds = 600
-## 
-##   redrive_policy = <<EOP
-## {
-##   "deadLetterTargetArn":"${aws_sqs_queue.config_deadletter.arn}",
-##   "maxReceiveCount":100
-## }
-## EOP
-## 
-##   # disable kms, doesn't seem to work with splunk
-##   #  kms_master_key_id = "alias/${var.kms_inf_key}"
-##   #  kms_data_key_reuse_period_seconds = 300
-## 
-##   tags = merge(
-##     local.common_tags,
-##     map("Name", "inf-config-${local.region}")
-##   )
-## }
-## 
-## resource "aws_sqs_queue_policy" "config" {
-##   queue_url = aws_sqs_queue.config.id
-##   policy    = data.aws_iam_policy_document.config_sqs.json
-## }
-## 
-## data "aws_iam_policy_document" "config_sqs" {
-##   policy_id = "SQSDefaultPolicy"
-##   statement {
-##     sid       = "AllowSNSSendMessage"
-##     effect    = "Allow"
-##     actions   = ["SQS:SendMessage"]
-##     resources = [aws_sqs_queue.config.arn]
-## 
-##     principals {
-##       type        = "AWS"
-##       identifiers = ["*"]
-##     }
-## 
-##     #     condition {
-##     #       test     = "ForAnyValue:ArnEquals"
-##     #       variable = "aws:SourceArn"
-##     #       values   = [ aws_sns_topic.config.arn, aws_sns_topic.cf_config.arn ]
-##     #     }
-##     condition {
-##       test     = "ArnEquals"
-##       variable = "aws:SourceArn"
-##       values   = [aws_sns_topic.config.arn]
-##     }
-##   }
-## }
-## 
-## #resource "aws_sns_topic_subscription" "splunk-cloudtrail" {
-## #  protocol  = "sqs"
-## #  topic_arn = "${aws_sns_topic.splunk-cloudtrail.arn}"
-## #  endpoint  = "${aws_sqs_queue.splunk-cloudtrail.arn}"
-## #}
-## 
-## resource "aws_sns_topic_subscription" "config" {
-##   protocol  = "sqs"
-##   topic_arn = aws_sns_topic.config.arn
-##   endpoint  = aws_sqs_queue.config.arn
-## }
-## 
-## #---
-## # test sqs to see what is going on with config
-## #---
-## resource "aws_sqs_queue" "config_test" {
-##   # delay=0 retention=7d max=256k visibity=2h
-##   name                       = "test-inf-config-${local.region}"
-##   delay_seconds              = 0
-##   max_message_size           = 262144
-##   message_retention_seconds  = 604800
-##   receive_wait_time_seconds  = 0
-##   visibility_timeout_seconds = 600
-## 
-##   # disable kms, doesn't seem to work with splunk
-##   #  kms_master_key_id = "alias/${var.kms_inf_key}"
-##   #  kms_data_key_reuse_period_seconds = 300
-## 
-##   tags = merge(
-##     local.common_tags,
-##     map("Name", "test-inf-config-${local.region}")
-##   )
-## }
-## 
-## resource "aws_sqs_queue_policy" "config_test" {
-##   queue_url = aws_sqs_queue.config_test.id
-##   policy    = data.aws_iam_policy_document.config_sqs.json
-## }
-## 
-## resource "aws_sns_topic_subscription" "config_test" {
-##   protocol  = "sqs"
-##   topic_arn = aws_sns_topic.config.arn
-##   endpoint  = aws_sqs_queue.config_test.arn
-## }
diff --git a/config/s3.tf b/config/s3.tf
new file mode 100644
index 0000000..7e58de3
--- /dev/null
+++ b/config/s3.tf
@@ -0,0 +1,47 @@
+#---
+# s3
+#---
+resource "aws_s3_bucket" "config" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  # uses aws/kms key so log delivery works properly
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = false
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  # probably want some migration of old data to some other location
+  # like glacier
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "s3", {}),
+    map("Name", local.bucket_name),
+  )
+
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "config" {
+  bucket                  = aws_s3_bucket.config.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+