diff --git a/modules/s3-remote-state/main.tf b/modules/s3-remote-state/main.tf
index 6626ea39..66c0fb7e 100644
--- a/modules/s3-remote-state/main.tf
+++ b/modules/s3-remote-state/main.tf
@@ -35,12 +35,26 @@ variable "force_destroy" {
   type        = bool
 }
 
+variable "kms_key_id" {
+  description = "The ARN of a KMS Key to use for encrypting the state"
+  type        = string
+}
+
 resource "aws_s3_bucket" "remote-state" {
   bucket        = var.bucket_name
   acl           = "private"
   region        = var.region
   force_destroy = var.force_destroy
 
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = var.kms_key_id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
   versioning {
     enabled = var.versioning
   }