diff --git a/terraform/compliance/s3.feature b/terraform/compliance/s3.feature
index 0def1a0dd..b7d7cca60 100644
--- a/terraform/compliance/s3.feature
+++ b/terraform/compliance/s3.feature
@@ -4,6 +4,7 @@ Feature: S3
   @exclude_module.qlik_server\[0\].aws_s3_bucket.qlik_alb_logs\[0\]
   @exclude_module.airflow.aws_s3_bucket.bucket
   @exclude_aws_s3_bucket.mwaa_bucket
+  @exclude_aws_s3_bucket.mwaa_etl_scripts_bucket
   Scenario: Data must be encrypted at rest for buckets created using server_side_encryption_configuration property within bucket resource
     Given I have aws_s3_bucket defined
     Then it must have server_side_encryption_configuration
diff --git a/terraform/core/46-mwaa-bucket-kms.tf b/terraform/core/46-mwaa-bucket-kms.tf
index 5ed1d7a92..bda71b766 100644
--- a/terraform/core/46-mwaa-bucket-kms.tf
+++ b/terraform/core/46-mwaa-bucket-kms.tf
@@ -89,3 +89,30 @@ resource "aws_s3_bucket_public_access_block" "mwaa_bucket_block" {
   ignore_public_acls      = true
   restrict_public_buckets = true
 }
+
+resource "aws_s3_bucket" "mwaa_etl_scripts_bucket" {
+  bucket = "${local.identifier_prefix}-mwaa-etl-scripts-bucket"
+
+  tags = module.tags.values
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "mwaa_etl_scripts_bucket_encryption" {
+  bucket = aws_s3_bucket.mwaa_etl_scripts_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.mwaa_key.arn
+    }
+    bucket_key_enabled = true
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "mwaa_etl_scripts_bucket_block" {
+  bucket = aws_s3_bucket.mwaa_etl_scripts_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
\ No newline at end of file