diff --git a/README.md b/README.md
index a86833d..66d3d21 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,8 @@ No modules.
| [aws_iam_access_key.admin_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_user.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy_attachment.admin_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_kms_alias.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_s3_bucket.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
| [aws_s3_bucket.web](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
@@ -43,5 +45,6 @@ No inputs.
| Name | Description |
| ---- | ----------- |
| [admin\_access\_keys](#output\_admin\_access\_keys) | Admin IAM user access keys |
+| [sops\_kms\_key\_arn](#output\_sops\_kms\_key\_arn) | KMS key ARN for future SOPS AWS KMS recipients |
| [web\_bucket\_endpoints](#output\_web\_bucket\_endpoints) | Website endpoints for public web S3 buckets |
diff --git a/aws-kms.tf b/aws-kms.tf
new file mode 100644
index 0000000..900ca36
--- /dev/null
+++ b/aws-kms.tf
@@ -0,0 +1,19 @@
+resource "aws_kms_key" "sops" {
+ description = "SOPS encryption key for Make IT Work Cloud infrastructure secrets"
+ deletion_window_in_days = 30
+ enable_key_rotation = true
+
+ tags = {
+ ManagedBy = "Terraform"
+ Purpose = "sops"
+ }
+
+ lifecycle {
+ prevent_destroy = true
+ }
+}
+
+resource "aws_kms_alias" "sops" {
+ name = "alias/makeitworkcloud/sops"
+ target_key_id = aws_kms_key.sops.key_id
+}
diff --git a/outputs.tf b/outputs.tf
index 8c01ebf..5b710fb 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -14,3 +14,8 @@ output "web_bucket_endpoints" {
}
description = "Website endpoints for public web S3 buckets"
}
+
+output "sops_kms_key_arn" {
+ description = "KMS key ARN for future SOPS AWS KMS recipients"
+ value = aws_kms_key.sops.arn
+}