diff --git a/s3-config/README.md b/s3-config/README.md
new file mode 100644
index 0000000..0be84aa
--- /dev/null
+++ b/s3-config/README.md
@@ -0,0 +1,57 @@
+# aws-inf-setup :: s3-config
+
+This set up the needed components for S3 config bucket.   This needs to be in just one region.
+
+* S3 bucket
+
+# Usage
+Here is a simple example, the one most commonly expected to be used.
+
+```hcl
+module "config" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-config"
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_s3_bucket.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Logging S3 bucket name | `string` | `""` | no |
+| <a name="input_bucket_name_prefix"></a> [bucket\_name\_prefix](#input\_bucket\_name\_prefix) | Logging S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name. | `string` | `"inf-config"` | no |
+| <a name="input_component_tags"></a> [component\_tags](#input\_component\_tags) | Additional tags for Components (s3, kms) | `map(map(string))` | <pre>{<br>  "kms": {},<br>  "s3": {}<br>}</pre> | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bucket_arn"></a> [bucket\_arn](#output\_bucket\_arn) | Config S3 bucket ARN |
+| <a name="output_bucket_id"></a> [bucket\_id](#output\_bucket\_id) | Config S3 bucket ID |
diff --git a/s3-config/data.tf b/s3-config/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/s3-config/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/s3-config/defaults.tf b/s3-config/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/s3-config/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/s3-config/main.tf b/s3-config/main.tf
new file mode 100644
index 0000000..092be70
--- /dev/null
+++ b/s3-config/main.tf
@@ -0,0 +1,79 @@
+/*
+* # aws-inf-setup :: s3-config
+* 
+* This set up the needed components for S3 config bucket.   This needs to be in just one region.
+* 
+* * S3 bucket
+* 
+* # Usage
+* Here is a simple example, the one most commonly expected to be used.
+*
+* ```hcl
+* module "config" {
+*   source = "git@github.e.it.census.gov:terraform-modules/aws-inf-setup.git//s3-config"
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  logs_region         = data.aws_region.current.name
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v", var.bucket_name_prefix, local.account_id)
+
+  base_tags = {
+    "Organization"          = "census:aditcio:csvd"
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+
+#---
+# s3
+#---
+resource "aws_s3_bucket" "config" {
+  bucket = local.bucket_name
+  acl    = "private"
+
+  # uses aws/kms key so log delivery works properly
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = false
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  # probably want some migration of old data to some other location
+  # like glacier
+
+  tags = merge(
+    var.tags,
+    local.base_tags,
+    lookup(var.component_tags, "s3", {}),
+    map("Name", local.bucket_name),
+  )
+
+  provisioner "local-exec" {
+    command = "sleep 30"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "config" {
+  bucket                  = aws_s3_bucket.config.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
diff --git a/s3-config/outputs.tf b/s3-config/outputs.tf
new file mode 100644
index 0000000..d17ed2f
--- /dev/null
+++ b/s3-config/outputs.tf
@@ -0,0 +1,9 @@
+output "bucket_id" {
+  description = "Config S3 bucket ID"
+  value       = aws_s3_bucket.config.id
+}
+
+output "bucket_arn" {
+  description = "Config S3 bucket ARN"
+  value       = aws_s3_bucket.config.arn
+}
diff --git a/s3-config/prefixes.tf b/s3-config/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/s3-config/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/s3-config/variables.common.tf b/s3-config/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/s3-config/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/s3-config/variables.tf b/s3-config/variables.tf
new file mode 100644
index 0000000..88ea7c8
--- /dev/null
+++ b/s3-config/variables.tf
@@ -0,0 +1,18 @@
+variable "bucket_name" {
+  description = "Logging S3 bucket name"
+  type        = string
+  #  default     = "inf-config-{{ tf_account }}"
+  default = ""
+}
+
+variable "bucket_name_prefix" {
+  description = "Logging S3 bucket prefix, prepended to the AWS account ID and region to make the bucket name."
+  type        = string
+  default     = "inf-config"
+}
+
+variable "component_tags" {
+  description = "Additional tags for Components (s3, kms)"
+  type        = map(map(string))
+  default     = { "s3" = {}, "kms" = {}, }
+}
diff --git a/s3-config/version.tf b/s3-config/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/s3-config/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file