diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e79eb23
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.terraform*
diff --git a/policies/s3.yaml b/policies/s3.yaml
new file mode 100644
index 0000000..0c77399
--- /dev/null
+++ b/policies/s3.yaml
@@ -0,0 +1,13 @@
+policies:
+  - name: test-s3-is-encrypted
+    description: |
+      S3 Must have server side encryption enabled
+    resource: terraform.aws_s3_bucket
+    filters:
+      - type: value
+        key: server_side_encryption_configuration.sse_algorithm
+        value: empty
+      - type: value
+        key: "tag:encryption_exception"
+        value: empty
+
diff --git a/root-module/s3.tf b/root-module/s3.tf
new file mode 100644
index 0000000..05d8c9a
--- /dev/null
+++ b/root-module/s3.tf
@@ -0,0 +1,26 @@
+resource "aws_s3_bucket" "unencrypted-bucket" {
+  bucket = "unencrypted-bucket"
+  tags = {
+    Environment = "Dev"
+  }
+}
+
+resource "aws_s3_bucket" "unencrypted-bucket-with-exception" {
+  bucket = "unencrypted-bucket"
+  tags = {
+    Environment = "Dev"
+    encryption_exception = true
+  }
+}
+
+resource "aws_s3_bucket" "encrypted-inline-bucket" {
+  bucket = "encrypted-inline-bucket"
+
+  server_side_encryption_configuration = {
+    sse_algorithm     = "AES256"
+  }
+
+  tags = {
+    Environment = "Prod"
+  }
+}