diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f92dad..7917b04 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 Provides standard and t26 S3 bucket construction.
 
-## Versions
+## Version 1.x
 
 * v1.0 -- 20200719
   - initial creation
@@ -15,7 +15,9 @@ Provides standard and t26 S3 bucket construction.
 * v1.2 -- 20201104
   - fix s3 bucket permission to not output statement with deny if no IP and VPCE provided
 
-* v2.0 -- 20201104
+## Version 2.x
+
+* 2.0 -- 20201104
   - change to aws-s3
   - create submodules `standard` and `title26`
   - standard
@@ -27,25 +29,31 @@ Provides standard and t26 S3 bucket construction.
     - explicit boc:authority tag
     - auto create encryption key
 
-* v2.0.1 -- 20210325
+* 2.0.1 -- 20210325
   - make bucket policies denying missing encryption header optional
   - add variable: `require_explicit_encryption` default = false
 
-* v2.1.0 -- 20210511
+* 2.1.0 -- 20210511
   - add kms_policy to be used for custom kms key policy and kms_admin_roles
 
-* v2.2.0 -- 20210520
+* 2.2.0 -- 20210520
   - add bucket_policy_document to be used for additional bucket policy merged with the default
 
-* v2.2.1 -- 20210528
+* 2.2.1 -- 20210528
   - fix key_id for encryption to be the arn of the key (despite the name)
 
-* v2.2.2 -- 20211104
+* 2.2.2 -- 20211104
   - update documenation to include sample policy and policy document
 
-* v2.3.0 -- 20211117
+* 2.3.0 -- 20211117
   - add submodule kms_key to be able to create a key, and then use it for later bucket
   - allow kms_key_arn to passed in for standard and title26 buckets
 
-* v2.4.0 -- 20220118
+* 2.4.0 -- 20220118
   - add bucket_owner controls (default BucketOwnerPreferred)
+
+* 2.4.1 -- 20220222
+  - pin aws provider to < 4.0
+  - add bucket_key_enabled (for S3 bucket keys; https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)
+
+
diff --git a/common/resources.tf b/common/resources.tf
index e84117d..07963aa 100644
--- a/common/resources.tf
+++ b/common/resources.tf
@@ -50,6 +50,7 @@ resource "aws_s3_bucket" "this" {
         kms_master_key_id = local.kms_key_arn
         sse_algorithm     = "aws:kms"
       }
+      bucket_key_enabled = var.bucket_key_enabled
     }
   }
 
diff --git a/common/variables.s3.tf b/common/variables.s3.tf
index 9e8599d..b8bb04b 100644
--- a/common/variables.s3.tf
+++ b/common/variables.s3.tf
@@ -66,3 +66,9 @@ variable "bucket_owner" {
   type        = string
   default     = "BucketOwnerPreferred"
 }
+
+variable "bucket_key_enabled" {
+  description = "Enable or disable the use of S3 Bucket Keys (see AWS documenation at https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html)."
+  type        = bool
+  default     = false
+}
diff --git a/common/version.tf b/common/version.tf
index 03d330b..58b0c87 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.3.0"
+  _module_version = "2.3.1"
 }
diff --git a/common/versions.tf b/common/versions.tf
index 70d5487..78f413b 100644
--- a/common/versions.tf
+++ b/common/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.66.0"
+      version = "~> 3.0"
     }
     null = {
       source  = "hashicorp/null"