diff --git a/pulumi/__main__.py b/pulumi/__main__.py
index f84bcb1..cd11b2d 100644
--- a/pulumi/__main__.py
+++ b/pulumi/__main__.py
@@ -12,6 +12,7 @@
 import tb_pulumi
 import tb_pulumi.fargate
 import tb_pulumi.network
+import tb_pulumi.s3
 import tb_pulumi.secrets
 
 from site24x7 import main as site24x7
@@ -29,6 +30,7 @@
     site24x7()
 
 if build_tbpulumi:
+    # Resources that don't require a VPC or subnets
     psm_opts = resources.get('tb:secrets:PulumiSecretsManager', {}).get('secrets')
     psm = tb_pulumi.secrets.PulumiSecretsManager(
         name=f'{project.name_prefix}-secrets',
@@ -36,6 +38,17 @@
         **psm_opts,
     )
 
+    s3_bucket_opts = resources.get('tb:s3:S3Bucket', {})
+    s3_buckets = {
+        bucket_name: tb_pulumi.s3.S3Bucket(
+            name=f'{project.name_prefix}-s3bucket-{bucket_name}',
+            project=project,
+            **bucket_config,
+        )
+        for bucket_name, bucket_config in s3_bucket_opts.items()
+    }
+
+    # The VPC and everything that depends upon it
     vpc_config = resources.get('tb:network:MultiCidrVpc', {}).get('fluentbit', {})
     vpc_fluentbit = tb_pulumi.network.MultiCidrVpc(
         f'{project.name_prefix}-vpc-fluentbit',
diff --git a/pulumi/config.dev.yaml b/pulumi/config.dev.yaml
index e29a67a..84352d9 100644
--- a/pulumi/config.dev.yaml
+++ b/pulumi/config.dev.yaml
@@ -9,6 +9,10 @@ resources:
     secrets:
       secret_names:
         - posthog_api_key
+  
+  tb:s3:S3Bucket:
+    cloudtrail:
+      bucket_name: tb-observability-cloudtrail-target-dev
 
   tb:network:MultiCidrVpc:
     fluentbit:
diff --git a/pulumi/config.prod.yaml b/pulumi/config.prod.yaml
index 333a236..f2530d5 100644
--- a/pulumi/config.prod.yaml
+++ b/pulumi/config.prod.yaml
@@ -11,6 +11,10 @@ resources:
       secret_names:
         - posthog_api_key
 
+  tb:s3:S3Bucket:
+    cloudtrail:
+      bucket_name: tb-observability-cloudtrail-target-prod
+
   tb:network:MultiCidrVpc:
     fluentbit:
       # The observability project has all of 10.200.0.0/16 assigned to it, but let's not soak all
diff --git a/pulumi/config.stage.yaml b/pulumi/config.stage.yaml
index 9fe4881..cc0c300 100644
--- a/pulumi/config.stage.yaml
+++ b/pulumi/config.stage.yaml
@@ -10,6 +10,10 @@ resources:
       secret_names:
         - posthog_api_key
 
+  tb:s3:S3Bucket:
+    cloudtrail:
+      bucket_name: tb-observability-cloudtrail-target-stage
+
   tb:network:MultiCidrVpc:
     fluentbit:
       # The observability project has all of 10.201.0.0/16 assigned to it, but let's not soak all