diff --git a/aws/modules/cloudtrail/main.tf b/aws/modules/cloudtrail/main.tf
index cf96d76..6c332b5 100644
--- a/aws/modules/cloudtrail/main.tf
+++ b/aws/modules/cloudtrail/main.tf
@@ -29,6 +29,14 @@ resource "aws_s3_bucket" "cloudtrail_bucket" {
 	bucket        = local.bucket_name
 	force_destroy = var.bucket_force_destroy
 	policy        = data.aws_iam_policy_document.cloudtrail_s3_policy.json
+
+	server_side_encryption_configuration {
+		rule {
+			apply_server_side_encryption_by_default {
+				sse_algorithm = var.bucket_sse_algorithm
+			}
+		}
+	}
 }
 
 # we need the identity of the caller to get their account_id for the s3 bucket
diff --git a/aws/modules/cloudtrail/variables.tf b/aws/modules/cloudtrail/variables.tf
index 4bebb6f..65c84ea 100644
--- a/aws/modules/cloudtrail/variables.tf
+++ b/aws/modules/cloudtrail/variables.tf
@@ -42,6 +42,12 @@ variable "bucket_force_destroy" {
 	default = false
 }
 
+variable "bucket_sse_algorithm" {
+	type        = string
+	default     = "AES256"
+	description = "The encryption algorithm to use for S3 bucket server-side encryption"
+}
+
 variable "sns_topic_name" {
 	type    = string
 	default = ""