diff --git a/aws-s3-private-bucket/main.tf b/aws-s3-private-bucket/main.tf
index df72eb65..04aa5b48 100755
--- a/aws-s3-private-bucket/main.tf
+++ b/aws-s3-private-bucket/main.tf
@@ -110,11 +110,13 @@ resource "aws_s3_bucket" "bucket" {
     }
   }
 
-  # TODO
-  #   logging {
-  #   target_bucket = ""
-  #   target_prefix = ""
-  # }
+  dynamic "logging" {
+    for_each = var.logging_bucket == null ? [] : [var.logging_bucket]
+    content {
+      target_bucket = var.logging_bucket.name
+      target_prefix = var.logging_bucket.prefix
+    }
+  }
 
   server_side_encryption_configuration {
     rule {
diff --git a/aws-s3-private-bucket/variables.tf b/aws-s3-private-bucket/variables.tf
index cf6b46a0..ce714550 100755
--- a/aws-s3-private-bucket/variables.tf
+++ b/aws-s3-private-bucket/variables.tf
@@ -71,6 +71,12 @@ variable "transfer_acceleration" {
   default = false
 }
 
+variable "logging_bucket" {
+  type        = object({ name = string, prefix = string })
+  description = "Log bucket name and prefix to enable logs for this bucket"
+  default     = null
+}
+
 variable "public_access_block" {
   type    = bool
   default = true