diff --git a/README.md b/README.md
index 2bb0dce..611c457 100644
--- a/README.md
+++ b/README.md
@@ -15,11 +15,17 @@ This project creates and manages resources within an AWS account for infrastruct
## Providers
-No providers.
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 5.24.0 |
## Resources
-No resources.
+| Name | Type |
+|------|------|
+| [aws_kms_alias.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
## Inputs
@@ -27,6 +33,7 @@ No resources.
|------|-------------|------|---------|:--------:|
| [aws\_region](#input\_aws\_region) | AWS region in which to launch resources | `string` | n/a | yes |
| [environment](#input\_environment) | The environment name to be used as part of the resource prefix | `string` | n/a | yes |
+| [infrastructure\_kms\_encryption](#input\_infrastructure\_kms\_encryption) | Enable infrastructure KMS encryption. This will create a single KMS key to be used across all resources that support KMS encryption. | `bool` | n/a | yes |
| [infrastructure\_name](#input\_infrastructure\_name) | The infrastructure name to be used as part of the resource prefix | `string` | n/a | yes |
| [project\_name](#input\_project\_name) | Project name to be used as a prefix for all resources | `string` | n/a | yes |
diff --git a/data.tf b/data.tf
new file mode 100644
index 0000000..8fc4b38
--- /dev/null
+++ b/data.tf
@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}
diff --git a/kms-infrastructure.tf b/kms-infrastructure.tf
new file mode 100644
index 0000000..1b34b35
--- /dev/null
+++ b/kms-infrastructure.tf
@@ -0,0 +1,29 @@
+resource "aws_kms_key" "infrastructure" {
+ count = local.infrastructure_kms_encryption ? 1 : 0
+
+ description = "${local.resource_prefix} infrastructure kms key"
+ deletion_window_in_days = 30
+ enable_key_rotation = true
+
+ policy = templatefile(
+ "${path.root}/policies/kms-key-policy.json.tpl",
+ {
+ statement = <