diff --git a/.gitignore b/.gitignore
index 5723603..f56f6b3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ headdesk-aws/
 vsphere-yige/
 anz-sandbox/
 1.SandboxTesting/
+*.tfvars
diff --git a/EksIp6Nginxpod/eks-bastion.tf b/EksIp6Nginxpod/eks-bastion.tf
index 69fcedb..692f486 100644
--- a/EksIp6Nginxpod/eks-bastion.tf
+++ b/EksIp6Nginxpod/eks-bastion.tf
@@ -1,5 +1,5 @@
 module "BastionRole" {
-  source                  = "../../modules/security_identity_compliance/iam-role-v2"
+  source                  = "../modules/security_identity_compliance/iam-role-v2"
   description             = "EKS bastion instance profile"
   role-name               = "BastionInstanceProfile"
   trusted-entity          = "ec2.amazonaws.com"
@@ -34,7 +34,7 @@ resource "aws_iam_role_policy_attachment" "BastionProfilePermissions" {
 
 module "eks-bastion" {
   depends_on = [module.eks] # essential for initializing kubectl in userdata
-  source     = "../../modules/compute/ec2"
+  source     = "../modules/compute/ec2"
 
   additional-tags  = {}
   ami-id           = data.aws_ami.this.id
@@ -46,7 +46,7 @@ module "eks-bastion" {
   instance-name    = "${var.environment}-eks-bastion-${random_pet.pet.id}"
   instance-type    = "t4g.micro"
   key-name         = aws_key_pair.kp.key_name
-  kms-key-id       = ""
+  kms-key-id       = module.KmsKeys.cmks.storage.arn
   root-volume-size = "8"
   # security-groups  = [module.bastion-sg.id, module.eks.cluster_primary_security_group_id]
   security-groups  = [module.bastion-sg.id]
@@ -121,11 +121,12 @@ resource "aws_key_pair" "kp" {
 }
 
 module "bastion-sg" {
-  source = "../../modules/compute/security_group"
+  source = "../modules/compute/security_group"
 
   description = "${var.environment}-eks-bastion-${random_pet.pet.id}-sg"
   egress = {
-    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress"
+    r1 = "-1,-1,-1,0.0.0.0/0,Allow egress ipv4"
+    r2 = "-1,-1,-1,::/0,Allow egress ipv6"
   }
   ingress = {
     r1 = "tcp,22,22,0.0.0.0/0,ssh"
@@ -133,14 +134,3 @@ module "bastion-sg" {
   name   = "eks-bastion-${random_pet.pet.id}-sg"
   vpc-id = module.vpc.vpc_id
 }
-
-# my security_group module does not support ipv6_cidr_blocks
-resource "aws_security_group_rule" "ipv6_egress" {
-  security_group_id = module.bastion-sg.id
-  type              = "egress"
-  from_port         = -1
-  to_port           = -1
-  protocol          = "all"
-  ipv6_cidr_blocks  = ["::/0"]
-  description       = "Allow ipv6 egress"
-}
\ No newline at end of file
diff --git a/EksIp6Nginxpod/main.tf b/EksIp6Nginxpod/main.tf
index 728aaff..0f947b6 100644
--- a/EksIp6Nginxpod/main.tf
+++ b/EksIp6Nginxpod/main.tf
@@ -68,39 +68,6 @@ module "vpc" {
 }
 
 # EKS resources
-module "CsiPodIdentity" {
-  source      = "../../modules/security_identity_compliance/iam-role-v2"
-  description = "EKSCSIDriverRole"
-  role-name   = "AmazonEBSCSIDriverRole"
-  trusted-entity = jsonencode(
-    {
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Effect" : "Allow",
-          "Principal" : {
-            "Service" : "pods.eks.amazonaws.com"
-          },
-          "Action" : [
-            "sts:AssumeRole",
-            "sts:TagSession"
-          ]
-        }
-      ]
-    }
-  )
-}
-
-# 2 policies are required for the ebs csi to work
-resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
-  for_each = toset([
-    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
-    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
-  ])
-  role       = module.CsiPodIdentity.name
-  policy_arn = each.value
-}
-
 locals {
   userdata = <<EOT
 MIME-Version: 1.0
@@ -147,6 +114,8 @@ resource "aws_launch_template" "node_lt" {
     ebs {
       volume_size = 20
       volume_type = "gp3"
+      encrypted   = true
+      kms_key_id  = module.KmsKeys.cmks.eksebs.arn
     }
   }
   # must not specify this # image_id  = data.aws_ami.eks_worker.id
@@ -190,21 +159,28 @@ module "eks" {
       source_security_group_id = module.bastion-sg.id
     }
   }
-  vpc_id                      = module.vpc.vpc_id
-  subnet_ids                  = module.vpc.private_subnets
-  ip_family                   = "ipv6"
-  create_cni_ipv6_iam_policy  = true
-  create_kms_key              = true
-  endpoint_private_access     = true
-  endpoint_public_access      = false
-  enable_irsa                 = false
-  create_cloudwatch_log_group = false
-  create_node_security_group  = true
+  vpc_id                                 = module.vpc.vpc_id
+  subnet_ids                             = module.vpc.private_subnets
+  ip_family                              = "ipv6"
+  create_cni_ipv6_iam_policy             = true
+  create_kms_key                         = false
+  create_cloudwatch_log_group            = true
+  cloudwatch_log_group_kms_key_id        = module.KmsKeys.cmks.log.arn
+  cloudwatch_log_group_retention_in_days = 14
+  endpoint_private_access                = true
+  endpoint_public_access                 = false
+  enable_irsa                            = false
+  create_node_security_group             = true
   # authentication_mode         = "API_AND_CONFIG_MAP" # use access entries and leave this to default
   upgrade_policy = {
     support_type = "STANDARD"
   }
 
+  encryption_config = {
+    resources        = ["secrets"]
+    provider_key_arn = module.KmsKeys.cmks.secret.arn
+  }
+
   addons = {
     coredns = {}
     eks-pod-identity-agent = {
@@ -294,4 +270,25 @@ resource "aws_security_group_rule" "eks_node_alb_ingress" {
   security_group_id = module.eks.node_security_group_id
   ipv6_cidr_blocks  = [module.vpc.vpc_ipv6_cidr_block]
   description       = "ALB to nginx pods port 80"
+}
+
+
+# CMK for encryption
+
+module "KmsKeys" {
+  source = "../modules/security_identity_compliance/CustomerManagedKmsKeys"
+
+  rotation_period_in_days = 180
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+  name-prefix             = "${var.environment}-${var.project}"
+  create_asg_role         = false
+  create-allpurpose-key   = false
+  create-backup-key       = false
+  create-database-key     = false
+  create-eksebs-key       = true
+  create-log-key          = true
+  create-notify-key       = false
+  create-secret-key       = true
+  create-storage-key      = false
 }
\ No newline at end of file
diff --git a/EksIp6Nginxpod/pod_identities.tf b/EksIp6Nginxpod/pod_identities.tf
index de86dfd..3b8035f 100644
--- a/EksIp6Nginxpod/pod_identities.tf
+++ b/EksIp6Nginxpod/pod_identities.tf
@@ -11,4 +11,37 @@ module "aws_lb_controller_pod_identity" {
       service_account = "aws-load-balancer-controller-sa"
     }
   }
+}
+
+module "CsiPodIdentity" {
+  source      = "../modules/security_identity_compliance/iam-role-v2"
+  description = "EKSCSIDriverRole"
+  role-name   = "AmazonEBSCSIDriverRole"
+  trusted-entity = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : {
+            "Service" : "pods.eks.amazonaws.com"
+          },
+          "Action" : [
+            "sts:AssumeRole",
+            "sts:TagSession"
+          ]
+        }
+      ]
+    }
+  )
+}
+
+# 2 policies are required for the ebs csi to work
+resource "aws_iam_role_policy_attachment" "CsiPodIdentity" {
+  for_each = toset([
+    "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
+    "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
+  ])
+  role       = module.CsiPodIdentity.name
+  policy_arn = each.value
 }
\ No newline at end of file
diff --git a/EksIp6Nginxpod/variables.tf b/EksIp6Nginxpod/variables.tf
index f1563df..ecfc6b6 100644
--- a/EksIp6Nginxpod/variables.tf
+++ b/EksIp6Nginxpod/variables.tf
@@ -1,12 +1,28 @@
-variable "aws-region" {}
-variable "aws-region-short" {}
-variable "customer-name" {}
-variable "environment" {}
-variable "project" {}
-variable "application" {}
-variable "eks_master_user_arn" {}
-
+variable "aws-region" {
+  description = "AWS region"
+  type        = string
+}
+variable "customer-name" {
+  description = "Owner of application"
+  type        = string
+}
+variable "environment" {
+  description = "Name of environment (i.e. Prod/Lab)"
+  type        = string
+}
+variable "project" {
+  description = "Name of project"
+  type        = string
+}
+variable "application" {
+  description = "Name of application"
+  type        = string
+}
+variable "eks_master_user_arn" {
+  description = "EKS administrator ARN which will be added to access entry"
+  type        = string
+}
 variable "eks_cluster_name" {
   type    = string
-  default = "xpk-eks01"
+  default = "acme-eks01"
 }
\ No newline at end of file
diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
index 5f5db57..777327f 100644
--- a/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
+++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/main.tf
@@ -144,6 +144,12 @@ resource "aws_kms_alias" "storage" {
   target_key_id = aws_kms_key.storage[0].id
 }
 
+resource "aws_kms_alias" "eks_ebs" {
+  count         = var.create-eksebs-key ? 1 : 0
+  name          = "alias/${local.prefix}eksebs"
+  target_key_id = aws_kms_key.eks_ebs[0].id
+}
+
 resource "aws_kms_alias" "database" {
   count         = var.create-database-key ? 1 : 0
   name          = "alias/${local.prefix}database"
diff --git a/modules/security_identity_compliance/CustomerManagedKmsKeys/outputs.tf b/modules/security_identity_compliance/CustomerManagedKmsKeys/outputs.tf
index 721517f..76d2804 100644
--- a/modules/security_identity_compliance/CustomerManagedKmsKeys/outputs.tf
+++ b/modules/security_identity_compliance/CustomerManagedKmsKeys/outputs.tf
@@ -28,6 +28,10 @@ output "cmks" {
     storage = {
       alias = one(aws_kms_alias.storage.*.name)
       arn   = one(aws_kms_key.storage.*.arn)
+    },
+    eksebs = {
+      alias = one(aws_kms_alias.eks_ebs.*.name)
+      arn   = one(aws_kms_key.eks_ebs.*.arn)
     }
   }
 }
\ No newline at end of file