NHSDigital · amarauzoma · May 5, 2026 · May 5, 2026 · May 5, 2026 · May 6, 2026
diff --git a/infrastructure/instance/.terraform.lock.hcl b/infrastructure/instance/.terraform.lock.hcl
diff --git a/infrastructure/instance/endpoints.tf b/infrastructure/instance/endpoints.tf
@@ -111,16 +111,17 @@ output "oas" {
 module "api_gateway" {
   source = "./modules/api_gateway"
 
-  prefix                  = local.prefix
-  short_prefix            = local.short_prefix
-  zone_id                 = data.aws_route53_zone.project_zone.zone_id
-  api_domain_name         = local.service_domain_name
-  environment             = var.environment
-  sub_environment         = var.sub_environment
-  oas                     = local.oas
-  aws_region              = var.aws_region
-  immunisation_account_id = var.immunisation_account_id
-  csoc_account_id         = var.csoc_account_id
+  prefix                   = local.prefix
+  short_prefix             = local.short_prefix
+  zone_id                  = data.aws_route53_zone.project_zone.zone_id
+  api_domain_name          = local.service_domain_name
+  environment              = var.environment
+  sub_environment          = var.sub_environment
+  oas                      = local.oas
+  aws_region               = var.aws_region
+  immunisation_account_id  = var.immunisation_account_id
+  csoc_account_id          = var.csoc_account_id
+  access_log_target_bucket = var.enable_s3_access_logging ? local.s3_access_log_bucket_name : null
 }
 
 resource "aws_lambda_permission" "api_gw" {

diff --git a/infrastructure/instance/environments/preprod/int-blue/variables.tfvars b/infrastructure/instance/environments/preprod/int-blue/variables.tfvars
@@ -10,3 +10,5 @@ mesh_no_invocation_period_seconds       = 259200
 create_mesh_processor                   = true
 has_sub_environment_scope               = false
 dynamodb_point_in_time_recovery_enabled = true
+enable_s3_access_logging                = true
+s3_access_log_bucket_name               = "immunisation-preprod-s3-access-logs"
diff --git a/infrastructure/instance/environments/preprod/int-green/variables.tfvars b/infrastructure/instance/environments/preprod/int-green/variables.tfvars
@@ -10,3 +10,5 @@ mesh_no_invocation_period_seconds       = 259200
 create_mesh_processor                   = true
 has_sub_environment_scope               = false
 dynamodb_point_in_time_recovery_enabled = true
+enable_s3_access_logging                = true
+s3_access_log_bucket_name               = "immunisation-preprod-s3-access-logs"
diff --git a/infrastructure/instance/modules/api_gateway/mtls_cert.tf b/infrastructure/instance/modules/api_gateway/mtls_cert.tf
@@ -21,6 +21,13 @@ resource "aws_s3_bucket" "truststore_bucket" {
   force_destroy = true
 }
 
+resource "aws_s3_bucket_logging" "truststore_bucket" {
+  count         = var.access_log_target_bucket == null ? 0 : 1
+  bucket        = aws_s3_bucket.truststore_bucket.bucket
+  target_bucket = var.access_log_target_bucket
+  target_prefix = "${aws_s3_bucket.truststore_bucket.bucket}/"
+}
+
 resource "aws_s3_bucket_versioning" "truststore_bucket" {
   bucket = aws_s3_bucket.truststore_bucket.bucket
   versioning_configuration {

diff --git a/infrastructure/instance/modules/api_gateway/variables.tf b/infrastructure/instance/modules/api_gateway/variables.tf
@@ -16,3 +16,7 @@ variable "aws_region" {
 }
 variable "immunisation_account_id" {}
 variable "csoc_account_id" {}
+variable "access_log_target_bucket" {
+  type    = string
+  default = null
+}
diff --git a/infrastructure/instance/modules/splunk/backup.tf b/infrastructure/instance/modules/splunk/backup.tf
@@ -33,3 +33,10 @@ resource "aws_s3_bucket_policy" "failed_logs_backup_https_only" {
   bucket = aws_s3_bucket.failed_logs_backup.id
   policy = data.aws_iam_policy_document.failed_logs_backup_https_only.json
 }
+
+resource "aws_s3_bucket_logging" "failed_logs_backup" {
+  count         = var.access_log_target_bucket == null ? 0 : 1
+  bucket        = aws_s3_bucket.failed_logs_backup.bucket
+  target_bucket = var.access_log_target_bucket
+  target_prefix = "${aws_s3_bucket.failed_logs_backup.bucket}/"
+}
diff --git a/infrastructure/instance/modules/splunk/variables.tf b/infrastructure/instance/modules/splunk/variables.tf
@@ -5,3 +5,7 @@ locals {
 variable "splunk_endpoint" {}
 variable "hec_token" {}
 variable "force_destroy" {}
+variable "access_log_target_bucket" {
+  type    = string
+  default = null
+}
diff --git a/infrastructure/instance/s3_access_logging.tf b/infrastructure/instance/s3_access_logging.tf
@@ -0,0 +1,32 @@
+data "aws_s3_bucket" "existing_s3_access_log_bucket" {
+  count  = var.enable_s3_access_logging ? 1 : 0
+  bucket = local.s3_access_log_bucket_name
+}
+
+resource "aws_s3_bucket_logging" "batch_data_source_bucket" {
+  count         = var.enable_s3_access_logging ? 1 : 0
+  bucket        = aws_s3_bucket.batch_data_source_bucket.bucket
+  target_bucket = data.aws_s3_bucket.existing_s3_access_log_bucket[0].bucket
+  target_prefix = "${aws_s3_bucket.batch_data_source_bucket.bucket}/"
+}
+
+resource "aws_s3_bucket_logging" "batch_data_destination_bucket" {
+  count         = var.enable_s3_access_logging ? 1 : 0
+  bucket        = aws_s3_bucket.batch_data_destination_bucket.bucket
+  target_bucket = data.aws_s3_bucket.existing_s3_access_log_bucket[0].bucket
+  target_prefix = "${aws_s3_bucket.batch_data_destination_bucket.bucket}/"
+}
+
+resource "aws_s3_bucket_logging" "batch_config_bucket" {
+  count         = var.enable_s3_access_logging ? 1 : 0
+  bucket        = aws_s3_bucket.batch_config_bucket.bucket
+  target_bucket = data.aws_s3_bucket.existing_s3_access_log_bucket[0].bucket
+  target_prefix = "${aws_s3_bucket.batch_config_bucket.bucket}/"
+}
+
+resource "aws_s3_bucket_logging" "account_batch_data_source_bucket" {
+  count         = var.enable_s3_access_logging && !var.has_sub_environment_scope ? 1 : 0
+  bucket        = "immunisation-batch-${local.resource_scope}-data-sources"
+  target_bucket = data.aws_s3_bucket.existing_s3_access_log_bucket[0].bucket
+  target_prefix = "immunisation-batch-${local.resource_scope}-data-sources/"
+}
diff --git a/infrastructure/instance/splunk.tf b/infrastructure/instance/splunk.tf
@@ -6,9 +6,10 @@ data "aws_secretsmanager_secret_version" "splunk_token_id" {
 }
 
 module "splunk" {
-  source          = "./modules/splunk"
-  prefix          = local.prefix
-  splunk_endpoint = "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event"
-  hec_token       = data.aws_secretsmanager_secret_version.splunk_token_id.secret_string
-  force_destroy   = local.is_temp
+  source                   = "./modules/splunk"
+  prefix                   = local.prefix
+  splunk_endpoint          = "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event"
+  hec_token                = data.aws_secretsmanager_secret_version.splunk_token_id.secret_string
+  force_destroy            = local.is_temp
+  access_log_target_bucket = var.enable_s3_access_logging ? local.s3_access_log_bucket_name : null
 }
diff --git a/infrastructure/instance/variables.tf b/infrastructure/instance/variables.tf
@@ -224,17 +224,30 @@ variable "redis_sync_image_uri" {
   }
 }
 
+variable "s3_access_log_bucket_name" {
+  description = "Destination bucket used for S3 server access logs"
+  type        = string
+  default     = ""
+}
+
+variable "enable_s3_access_logging" {
+  description = "When true, manage S3 server access logging resources in this stack"
+  type        = bool
+  default     = false
+}
+
 locals {
-  prefix              = "${var.project_name}-${var.service}-${var.sub_environment}"
-  short_prefix        = "${var.project_short_name}-${var.sub_environment}"
-  batch_prefix        = "immunisation-batch-${var.sub_environment}"
-  root_domain_name    = "${var.environment}.vds.platform.nhs.uk"
-  project_domain_name = "imms.${local.root_domain_name}"
-  service_domain_name = "${var.sub_environment}.${local.project_domain_name}"
-  config_bucket_arn   = aws_s3_bucket.batch_config_bucket.arn
-  config_bucket_name  = aws_s3_bucket.batch_config_bucket.bucket
-  is_temp             = length(regexall("[a-z]{2,4}-?[0-9]+", var.sub_environment)) > 0
-  resource_scope      = var.has_sub_environment_scope ? var.sub_environment : var.environment
+  prefix                    = "${var.project_name}-${var.service}-${var.sub_environment}"
+  short_prefix              = "${var.project_short_name}-${var.sub_environment}"
+  batch_prefix              = "immunisation-batch-${var.sub_environment}"
+  root_domain_name          = "${var.environment}.vds.platform.nhs.uk"
+  project_domain_name       = "imms.${local.root_domain_name}"
+  service_domain_name       = "${var.sub_environment}.${local.project_domain_name}"
+  config_bucket_arn         = aws_s3_bucket.batch_config_bucket.arn
+  config_bucket_name        = aws_s3_bucket.batch_config_bucket.bucket
+  is_temp                   = length(regexall("[a-z]{2,4}-?[0-9]+", var.sub_environment)) > 0
+  resource_scope            = var.has_sub_environment_scope ? var.sub_environment : var.environment
+  s3_access_log_bucket_name = var.s3_access_log_bucket_name != "" ? var.s3_access_log_bucket_name : "immunisation-${var.environment}-s3-access-logs"
   # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.
   # public_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.gateway_id) > 0]
   # Private subnet - The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.