diff --git a/templates/terraform/environments/prod/user_access.tf b/templates/terraform/environments/prod/user_access.tf
index bde5dd66..86e66eec 100644
--- a/templates/terraform/environments/prod/user_access.tf
+++ b/templates/terraform/environments/prod/user_access.tf
@@ -87,12 +87,12 @@ data "aws_iam_policy_document" "operator_access" {
   statement {
     effect    = "Allow"
     actions   = ["s3:ListBucket"]
-    resources = ["arn:aws:s3:::${data.terraform_remote_state.shared.outputs.cloudtrail_bucket_id}"]
+    resources = ["arn:aws:s3:::*-cloudtrail"]
   }
   statement {
     effect    = "Allow"
     actions   = ["s3:GetObject", "s3:PutObject"]
-    resources = ["arn:aws:s3:::${data.terraform_remote_state.shared.outputs.cloudtrail_bucket_id}/*"]
+    resources = ["arn:aws:s3:::*-cloudtrail/*"]
   }
 
   # Application secret management - this role can view and edit application secrets in the production environment
diff --git a/templates/terraform/environments/shared/main.tf b/templates/terraform/environments/shared/main.tf
index 5738a359..8b63fb25 100644
--- a/templates/terraform/environments/shared/main.tf
+++ b/templates/terraform/environments/shared/main.tf
@@ -15,6 +15,7 @@ locals {
   account_id             = "<% index .Params `accountId` %>"
   random_seed            = "<% index .Params `randomSeed` %>"
   shared_resource_prefix = "<% if ne (index .Params `sharedResourcePrefix`) "none" %><% index .Params `sharedResourcePrefix` %><% end %>"
+  enable_cloudtrail       = <%if eq (index .Params `cloudtrailEnable`) "yes" %>1<% else %>0<% end %>
 }
 
 provider "aws" {
@@ -143,6 +144,7 @@ module "secret_keys" {
 
 # Enable AWS CloudTrail to help you audit governance, compliance, and operational risk of your AWS account, with logs stored in S3 bucket.
 module "cloudtrail" {
+  count   = local.enable_cloudtrail
   source  = "commitdev/zero/aws//modules/cloudtrail"
   version = "0.1.10"
 
diff --git a/tests/fixtures/test-project/zero-project.yml b/tests/fixtures/test-project/zero-project.yml
index 068a2bad..4c7cc34f 100644
--- a/tests/fixtures/test-project/zero-project.yml
+++ b/tests/fixtures/test-project/zero-project.yml
@@ -10,6 +10,7 @@ modules:
       accountId: "123456781234"
       database: mysql
       fileUploads: "no"
+      cloudtrailEnable: "yes"
       loggingType: kibana
       metricsType: prometheus
       productionBackendSubdomain: api.
diff --git a/zero-module.yml b/zero-module.yml
index 30a056b8..65e7a822 100644
--- a/zero-module.yml
+++ b/zero-module.yml
@@ -209,3 +209,10 @@ parameters:
   - field: sharedResourcePrefix
     label: "Mostly for development - Allow shared resources to have a unique prefix. This is only necessary if many zero projects will be run in the same AWS account."
     value: "none"
+  - field: cloudtrailEnable
+    label: Enable cloudtrail?
+    info: "CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions. It can add $5-10 per month and may not provide much value to a smaller company"
+    default: no
+    options:
+      "yes": "Yes"
+      "no": "No"