diff --git a/README.md b/README.md
index fe7ac6b..de45ff3 100644
--- a/README.md
+++ b/README.md
@@ -56,7 +56,6 @@ It can in most cases be used to host any static site, however this module adds s
 | [aws_iam_policy.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_user.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy_attachment.publii_s3_frontend](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
-| [aws_kms_key.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_kms_key.s3_bucket_frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_lambda_permission.cloudfront_invalidation_frontend_alllow_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_route53_record.cloudfront_frontend_tls_certificate_dns_validation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
@@ -87,6 +86,7 @@ It can in most cases be used to host any static site, however this module adds s
 | [aws_s3_bucket_website_configuration.frontend_www_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_website_configuration) | resource |
 | [aws_wafv2_web_acl.cloudfront_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource |
 | [random_id.project](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_route53_zone.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 | [template_file.cloudfront_frontend_viewer_request_function](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.frontend_bucket_cloudfront_read](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
@@ -97,6 +97,7 @@ It can in most cases be used to host any static site, however this module adds s
 | [template_file.frontend_www_redirect_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.lambda_cloudfront_invalidation_frontend_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.logs_bucket_enforce_tls_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
+| [template_file.logs_bucket_log_delivery_access_statement](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.logs_bucket_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 | [template_file.publii_s3_frontend_policy](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source |
 
diff --git a/data.tf b/data.tf
index 2289e95..c544678 100644
--- a/data.tf
+++ b/data.tf
@@ -3,3 +3,5 @@ data "aws_route53_zone" "default" {
 
   zone_id = local.route53_hosted_zone_options.id
 }
+
+data "aws_caller_identity" "current" {}
diff --git a/kms.tf b/kms.tf
index a3593c2..31a4952 100644
--- a/kms.tf
+++ b/kms.tf
@@ -5,9 +5,3 @@ resource "aws_kms_key" "s3_bucket_frontend_www_redirect" {
   deletion_window_in_days = 10
   enable_key_rotation     = true
 }
-
-resource "aws_kms_key" "logs" {
-  description             = "This key is used to encrypt bucket objects within ${aws_s3_bucket.logs.id}"
-  deletion_window_in_days = 10
-  enable_key_rotation     = true
-}
diff --git a/locals.tf b/locals.tf
index 9f3afa5..c16f2ed 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,4 +1,5 @@
 locals {
+  account_id                             = data.aws_caller_identity.current.account_id
   site_url                               = var.site_url
   project_random_id                      = random_id.project.dec
   project_name                           = "${replace(local.site_url, ".", "-")}-${local.project_random_id}"
diff --git a/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl b/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl
new file mode 100644
index 0000000..203f173
--- /dev/null
+++ b/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl
@@ -0,0 +1,18 @@
+{
+  "Principal": {
+    "Service": "logging.s3.amazonaws.com"
+  },
+  "Action": [
+    "s3:PutObject"
+  ],
+  "Effect": "Allow",
+  "Resource": "${log_bucket_arn}/*",
+  "Condition": {
+    "ArnLike": {
+      "aws:SourceArn": ${source_bucket_arns}
+    },
+    "StringEquals": {
+      "aws:SourceAccount": "${account_id}"
+    }
+  }
+}
diff --git a/s3-logs.tf b/s3-logs.tf
index 6f67ab6..c2c6db8 100644
--- a/s3-logs.tf
+++ b/s3-logs.tf
@@ -23,13 +23,15 @@ resource "aws_s3_bucket_public_access_block" "logs" {
   restrict_public_buckets = true
 }
 
+# If default encryption is enabled on the target bucket, AES256 (SSE-S3) must be selected as the encryption key
+# https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/
+#tfsec:ignore:aws-s3-encryption-customer-key
 resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
   bucket = aws_s3_bucket.logs.bucket
 
   rule {
     apply_server_side_encryption_by_default {
-      kms_master_key_id = aws_kms_key.logs.arn
-      sse_algorithm     = "aws:kms"
+      sse_algorithm = "AES256"
     }
   }
 }
@@ -42,13 +44,29 @@ data "template_file" "logs_bucket_enforce_tls_statement" {
   }
 }
 
+data "template_file" "logs_bucket_log_delivery_access_statement" {
+  template = file("${path.module}/policies/s3-bucket-policy-statements/log-delivery-access.json.tpl")
+
+  vars = {
+    log_bucket_arn = aws_s3_bucket.logs.arn
+    source_bucket_arns = local.cloudfront_enable_apex_to_www_redirect ? jsonencode([
+      aws_s3_bucket.frontend.arn,
+      aws_s3_bucket.frontend_www_redirect.0.arn,
+      ]) : jsonencode([
+      aws_s3_bucket.frontend.arn,
+    ])
+    account_id = local.account_id
+  }
+}
+
 data "template_file" "logs_bucket_policy" {
   template = file("${path.module}/policies/s3-bucket-policy.json.tpl")
 
   vars = {
     statement = <<EOT
 [
-${data.template_file.logs_bucket_enforce_tls_statement.rendered}
+${data.template_file.logs_bucket_enforce_tls_statement.rendered},
+${data.template_file.logs_bucket_log_delivery_access_statement.rendered}
 ]
 EOT
   }