diff --git a/aws/s3/s3_access_log/README.md b/aws/s3/s3_access_log/README.md
new file mode 100644
index 00000000..16fd795b
--- /dev/null
+++ b/aws/s3/s3_access_log/README.md
@@ -0,0 +1,26 @@
+# Set Required Variables
+
+```
+environment=test
+export AWS_PROFILE='cloudavail'
+```
+
+# Validate CloudFormation
+
+`aws cloudformation validate-template --template-body file://s3_access_log.yaml`
+
+# Create a S3 Stack
+
+`aws cloudformation create-stack --stack-name s3-buckets-$environment --capabilities CAPABILITY_IAM --parameters ParameterKey=Environment,ParameterValue=$environment --template-body file://s3_access_log.yaml`
+
+# Update a S3 Stack with a Change-Set
+
+`aws cloudformation create-change-set --stack-name s3-buckets-$environment --change-set-name s3-buckets-$environment-change-set-$(date +%s) --capabilities CAPABILITY_IAM --parameters ParameterKey=Environment,ParameterValue=$environment --template-body file://s3_access_log.yaml`
+
+# Update a S3 Stack
+
+`aws cloudformation update-stack --stack-name s3-buckets-$environment --capabilities CAPABILITY_IAM --parameters ParameterKey=Environment,ParameterValue=$environment --template-body file://s3_access_log.yaml`
+
+# Delete a S3 Stack
+
+`aws cloudformation delete-stack --stack-name s3-buckets-$environment`
diff --git a/aws/s3/s3_access_log/client_handoff.md b/aws/s3/s3_access_log/client_handoff.md
new file mode 100644
index 00000000..89beafa9
--- /dev/null
+++ b/aws/s3/s3_access_log/client_handoff.md
@@ -0,0 +1,5 @@
+# Client Handoff
+
+## Notes
+- Target bucket is the S3 bucket where you want logs to go to.
+- replace bucket name on `BucketName` for Source and Target buckets
diff --git a/aws/s3/s3_access_log/s3_access_log.yaml b/aws/s3/s3_access_log/s3_access_log.yaml
new file mode 100644
index 00000000..4f834bea
--- /dev/null
+++ b/aws/s3/s3_access_log/s3_access_log.yaml
@@ -0,0 +1,61 @@
+---
+
+AWSTemplateFormatVersion: 2010-09-09
+
+Description: AWS CloudFormation Stack for S3 buckets and Server Access Logging
+
+Parameters: 
+
+  Environment:
+    Type: String
+    Description: Environment
+    AllowedValues:
+      - dev
+      - prod
+      - stage
+      - test
+
+Resources:
+
+  SourceBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub cloudavail-test-bucket-${Environment}
+      LoggingConfiguration:
+        DestinationBucketName: !Ref TargetBucket
+
+  TargetBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      AccessControl: LogDeliveryWrite
+      BucketName: !Sub cloudavail-test-bucket-logs-${Environment}
+
+  TargetBucketAccessLogPolicy:
+    Type: AWS::S3::BucketPolicy
+    DependsOn:
+      - TargetBucket
+    Properties:
+      Bucket: !Ref TargetBucket
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: S3ServerAccessLogsPolicy
+            Effect: Allow
+            Principal:
+              Service: logging.s3.amazonaws.com
+            Action:
+              - s3:PutObject
+            Resource: !Join
+              - ''
+              - - 'arn:aws:s3:::'
+                - !Ref TargetBucket
+                - /*
+            Condition:
+              ArnLike:
+                aws:SourceArn: !Join
+                  - ''
+                  - - 'arn:aws:s3:::'
+                    - !Ref SourceBucket
+                    - /*
+              StringEquals:
+                aws:SourceAccount: 187376578462