diff --git a/_data.tf b/_data.tf
index e26d851..79b6b02 100644
--- a/_data.tf
+++ b/_data.tf
@@ -19,4 +19,5 @@
 #}
 #
 
-data "aws_region" "current" {}
\ No newline at end of file
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
\ No newline at end of file
diff --git a/_variables.tf b/_variables.tf
index 99f6f12..3bef68f 100644
--- a/_variables.tf
+++ b/_variables.tf
@@ -4,7 +4,12 @@
 
 variable "slack_endpoint" {
   default     = ""
-  description = "endpoint to Slack notifications chanel"
+  description = "endpoint to Slack notifications channel (optional)"
+}
+
+variable "email" {
+  default = ""
+  description = "Email address to subscribe notification to (optional)"
 }
 
 variable "sns_topic_name" {
@@ -22,3 +27,9 @@ variable "account_ids" {
   default     = []
   description = "List of accounts to allow publishing to SNS (optional - only when SNS topic is created)"
 }
+
+variable "sns_kms_encryption" {
+  type        = bool
+  default     = false
+  description = "Enabled KMS CMK encryption at rest for SNS Topic"
+}
\ No newline at end of file
diff --git a/email.tf b/email.tf
new file mode 100644
index 0000000..505cddb
--- /dev/null
+++ b/email.tf
@@ -0,0 +1,6 @@
+resource "aws_sns_topic_subscription" "alarm_email" {
+  count     = var.email != "" ? 1 : 0
+  topic_arn = aws_sns_topic.default[0].arn
+  protocol  = "email"
+  endpoint  = var.email
+}
\ No newline at end of file
diff --git a/kms.tf b/kms.tf
new file mode 100644
index 0000000..105515e
--- /dev/null
+++ b/kms.tf
@@ -0,0 +1,30 @@
+data "aws_iam_policy_document" "kms_policy_sns" {
+  count = var.sns_kms_encryption ? 1 : 0
+  statement {
+    sid    = "Enable IAM User Permissions"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions = ["kms:*"]
+    resources = ["*"]
+  }
+  statement {
+    actions = [ "kms:Decrypt","kms:GenerateDataKey*"]
+    principals {
+      type = "Service"
+      identifiers = ["cloudwatch.amazonaws.com","lambda.amazonaws.com"]
+    }
+    resources = ["*"]
+    sid = "allow-services-kms"
+  }
+}
+
+resource "aws_kms_key" "sns" {
+  count                   = var.sns_kms_encryption ? 1 : 0
+  deletion_window_in_days = 7
+  description             = "SNS CMK Encryption Key"
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.kms_policy_sns[0].json
+}
\ No newline at end of file
diff --git a/sns-topic.tf b/sns-topic.tf
index a2f0810..b6bd460 100644
--- a/sns-topic.tf
+++ b/sns-topic.tf
@@ -1,7 +1,7 @@
 resource "aws_sns_topic" "default" {
-  count = var.sns_topic_name != "" ? 1 : 0
-  name  = var.sns_topic_name
-
+  count             = var.sns_topic_name != "" ? 1 : 0
+  name              = var.sns_topic_name
+  kms_master_key_id = var.sns_kms_encryption ? aws_kms_key.sns[0].id : null # default key does not allow cloudwatch alarms to publish
   # provisioner "local-exec" {
   #   command = "aws sns subscribe --topic-arn ${self.arn} --region ${data.aws_region.current.name} --protocol email --notification-endpoint ${var.sns_subscribe_list}"
   # }