diff --git a/README.md b/README.md
index 241e44e..ff607ae 100644
--- a/README.md
+++ b/README.md
@@ -4,15 +4,15 @@ Module for creating Title 26 Compliant S3 Buckets
 
 # Requirements
 
-1. Encryption enforcement on the Bucket Policy 
 1. Only Cloud Administrators have bucket delete permissions
 1. Permissions tightly controlled with Bucket Policy and IAM role/policy for users, instances, and other services
-1. Dedicated KMS CMK key 
+1. Encryption enforcement on the Bucket Policy 
+1. Dedicated KMS Customer Master Key (CMK) created per S3 bucket
 1. MFA enforced API calls – required for all data migrations (Cloud and Data Admins)
 1. Object Level Logging enabled with 7 year retention on CloudWatch Log Group
-1. Backup logs to BCC (How often?)
+  * Backup logs to BCC (How often?)
 1. Server Access Logging enabled with 7 year retention on CloudWatch Log Group
-1. Backup logs to BCC (How often?)
+   * Backup logs to BCC (How often?)
 1. Versioning enabled
 1. Monthly Security Audit reviews
    * By customer?
@@ -20,4 +20,4 @@ Module for creating Title 26 Compliant S3 Buckets
 1. IP Address Restriction policy enforced
 1. Not publically accessible
 1. Customer signature for key deletion(s) during decommissioning(s) and maximum wait period
-1. Delete CMK key for Data Sanitization.
+1. Delete CMK for Data Sanitization
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..5fe6b9c
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,44 @@
+#---
+# s3 bucket
+#---
+resource "aws_s3_bucket" "this" {
+  bucket = var.bucket_name
+  acl    = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = var.kms_key_id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  versioning {
+    enabled = true
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
+  tags = merge(
+    var.tags,
+    local.enforced_tags,
+    map( "Name", var.bucket_name)
+  )
+
+  provisioner "local-exec" {
+    when = create
+    command = "sleep 120"
+  }
+}
+
+resource "aws_s3_bucket_object" "this_objects" {
+  bucket = aws_s3_bucket.this.id
+  count  = length(var.bucket_folders)
+  key    = format("%s/",element(var.bucket_folders,count.index))
+  source = "/dev/null"
+
+  depends_on [aws_s3_bucket.this]
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..429b59f
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,16 @@
+variable "bucket_name" {
+  description = "AWS Bucket Name"
+  type = string
+}
+
+variable "bucket_folders" {
+  description = "List of folders (keys) to create after creation of bucket"
+  type = list(string)
+  default = [ ]
+}
+
+variable "kms_key_id" {
+  description = "AWS KMS Key ID (one per bucket)"
+  type = string
+  default = ""
+}