diff --git a/modules/encrypted_logs/CHANGELOG.md b/modules/encrypted_logs/CHANGELOG.md
new file mode 100644
index 0000000..3164188
--- /dev/null
+++ b/modules/encrypted_logs/CHANGELOG.md
@@ -0,0 +1,3 @@
+## [1.0] - 2021-11-14
+
+* Creates an encrypted log group module
diff --git a/modules/encrypted_logs/README.md b/modules/encrypted_logs/README.md
new file mode 100644
index 0000000..9721220
--- /dev/null
+++ b/modules/encrypted_logs/README.md
@@ -0,0 +1,32 @@
+# Encrypted Logs
+
+This module provisions a CloudWatch log group encrypted with KMS.
+
+## Usage
+
+```terraform
+module "encrypted_logs" {
+  source = "modules/encrypted_logs" // update when we've figured out how/if we will publish
+
+  log_group_name = "encrypted-logs"
+  tags = {
+    environment = "staging"
+  }
+}
+
+resource "aws_sfn_state_machine" "step_function" {
+  name = "my-step-function"
+  role_arn = aws_iam_role.step_function.arn
+
+  logging_configuration {
+    logging_destination = "${module.encrypted_logs.log_group_arn}:*"
+    include_execution_data = true
+    level = "ALL"
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "step_function" {
+  role = aws_iam_role.step_function.id
+  policy_arn = module.encrypted_logs.write_logs_policy_arn
+}
+```
diff --git a/modules/encrypted_logs/VERSION.txt b/modules/encrypted_logs/VERSION.txt
new file mode 100644
index 0000000..d3827e7
--- /dev/null
+++ b/modules/encrypted_logs/VERSION.txt
@@ -0,0 +1 @@
+1.0
diff --git a/modules/encrypted_logs/main.tf b/modules/encrypted_logs/main.tf
new file mode 100644
index 0000000..669016c
--- /dev/null
+++ b/modules/encrypted_logs/main.tf
@@ -0,0 +1,51 @@
+resource "aws_cloudwatch_log_group" "main" {
+  name       = var.log_group_name
+  kms_key_id = aws_kms_key.main.arn
+  tags       = var.tags
+}
+
+// Probably worth creating a KMS key module to use here instead
+resource "aws_kms_key" "main" {
+  description         = "Encryption key for ${var.log_group_name} logs"
+  enable_key_rotation = true
+  tags                = var.tags
+}
+
+resource "aws_kms_alias" "main" {
+  name          = "alias/${log_group_name}-logs"
+  target_key_id = aws_kms_key.main.key_id
+}
+
+resource "aws_iam_policy" "write_logs" {
+  name   = "write-${var.log_group_name}-logs"
+  policy = data.aws_iam_policy_document.write_logs.json
+}
+
+resource "aws_iam_policy_document" "write_logs" {
+  statement {
+    sid     = "CreateLogStream"
+    actions = ["logs:CreateLogStream"]
+    resources = [
+      "${aws_cloudwatch_log_group.main.arn}:log-stream:*"
+    ]
+  }
+
+  statement {
+    sid     = "WriteLogs"
+    actions = ["logs:PutLogEvents"]
+    resources = [
+      "${aws_cloudwatch_log_group.main.arn}:log-stream:*"
+    ]
+  }
+
+  statement {
+    sid = "UseLogEncryption"
+    actions = [
+      "kms:GenerateDataKey",
+      "kms:Decrypt",
+    ]
+    resources = [
+      aws_kms_key.main.arn,
+    ]
+  }
+}
diff --git a/modules/encrypted_logs/outputs.tf b/modules/encrypted_logs/outputs.tf
new file mode 100644
index 0000000..ec41e21
--- /dev/null
+++ b/modules/encrypted_logs/outputs.tf
@@ -0,0 +1,7 @@
+output "write_logs_policy_arn" {
+  value = aws_iam_policy.write_logs.arn
+}
+
+output "log_group_arn" {
+  value = aws_cloudwatch_log_group.main.arn
+}
diff --git a/modules/encrypted_logs/variables.tf b/modules/encrypted_logs/variables.tf
new file mode 100644
index 0000000..18ec1dd
--- /dev/null
+++ b/modules/encrypted_logs/variables.tf
@@ -0,0 +1,10 @@
+variable "log_group_name" {
+  type        = string
+  description = "Name for CloudWatch log group"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Tags to add to CloudWatch log group and associated KMS key"
+  default     = {}
+}