diff --git a/.changelog/20600.txt b/.changelog/20600.txt
new file mode 100644
index 00000000000..e0e2b2d9995
--- /dev/null
+++ b/.changelog/20600.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_config_delivery_channel: Add `s3_kms_key_arn` argument
+```
\ No newline at end of file
diff --git a/aws/resource_aws_config_delivery_channel.go b/aws/resource_aws_config_delivery_channel.go
index de55d601472..fcbecb6a4c8 100644
--- a/aws/resource_aws_config_delivery_channel.go
+++ b/aws/resource_aws_config_delivery_channel.go
@@ -41,6 +41,11 @@ func resourceAwsConfigDeliveryChannel() *schema.Resource {
 				Type:     schema.TypeString,
 				Optional: true,
 			},
+			"s3_kms_key_arn": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validateArn,
+			},
 			"sns_topic_arn": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -76,6 +81,9 @@ func resourceAwsConfigDeliveryChannelPut(d *schema.ResourceData, meta interface{
 	if v, ok := d.GetOk("s3_key_prefix"); ok {
 		channel.S3KeyPrefix = aws.String(v.(string))
 	}
+	if v, ok := d.GetOk("s3_kms_key_arn"); ok {
+		channel.S3KmsKeyArn = aws.String(v.(string))
+	}
 	if v, ok := d.GetOk("sns_topic_arn"); ok {
 		channel.SnsTopicARN = aws.String(v.(string))
 	}
@@ -151,6 +159,7 @@ func resourceAwsConfigDeliveryChannelRead(d *schema.ResourceData, meta interface
 	d.Set("name", channel.Name)
 	d.Set("s3_bucket_name", channel.S3BucketName)
 	d.Set("s3_key_prefix", channel.S3KeyPrefix)
+	d.Set("s3_kms_key_arn", channel.S3KmsKeyArn)
 	d.Set("sns_topic_arn", channel.SnsTopicARN)
 
 	if channel.ConfigSnapshotDeliveryProperties != nil {
diff --git a/aws/resource_aws_config_delivery_channel_test.go b/aws/resource_aws_config_delivery_channel_test.go
index 741e1add713..090e6aa4c1e 100644
--- a/aws/resource_aws_config_delivery_channel_test.go
+++ b/aws/resource_aws_config_delivery_channel_test.go
@@ -117,6 +117,7 @@ func testAccConfigDeliveryChannel_allParams(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "name", expectedName),
 					resource.TestCheckResourceAttr(resourceName, "s3_bucket_name", expectedBucketName),
 					resource.TestCheckResourceAttr(resourceName, "s3_key_prefix", "one/two/three"),
+					resource.TestCheckResourceAttrPair(resourceName, "s3_kms_key_arn", "aws_kms_key.k", "arn"),
 					resource.TestCheckResourceAttrPair(resourceName, "sns_topic_arn", "aws_sns_topic.t", "arn"),
 					resource.TestCheckResourceAttr(resourceName, "snapshot_delivery_properties.0.delivery_frequency", "Six_Hours"),
 				),
@@ -320,6 +321,14 @@ resource "aws_iam_role_policy" "p" {
         "${aws_s3_bucket.b.arn}",
         "${aws_s3_bucket.b.arn}/*"
       ]
+    },
+    {
+        "Effect": "Allow",
+        "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+            ],
+            "Resource": "${aws_kms_key.k.arn}"
     }
   ]
 }
@@ -335,10 +344,34 @@ resource "aws_sns_topic" "t" {
   name = "tf-acc-test-%d"
 }
 
+resource "aws_kms_key" "k" {
+  description             = "tf-acc-test-awsconfig-%d"
+  deletion_window_in_days = 7
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "tf-acc-test-awsconfig-%d",
+  "Statement": [
+    {
+      "Sid": "Enable IAM User Permissions",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "kms:*",
+      "Resource": "*"
+    }
+  ]
+}
+POLICY
+}
+
 resource "aws_config_delivery_channel" "foo" {
   name           = "tf-acc-test-awsconfig-%d"
   s3_bucket_name = aws_s3_bucket.b.bucket
   s3_key_prefix  = "one/two/three"
+  s3_kms_key_arn = aws_kms_key.k.arn
   sns_topic_arn  = aws_sns_topic.t.arn
 
   snapshot_delivery_properties {
@@ -347,5 +380,5 @@ resource "aws_config_delivery_channel" "foo" {
 
   depends_on = [aws_config_configuration_recorder.foo]
 }
-`, randInt, randInt, randInt, randInt, randInt, randInt)
+`, randInt, randInt, randInt, randInt, randInt, randInt, randInt, randInt)
 }
diff --git a/website/docs/r/config_delivery_channel.html.markdown b/website/docs/r/config_delivery_channel.html.markdown
index 673821cb679..881d4e65ccc 100644
--- a/website/docs/r/config_delivery_channel.html.markdown
+++ b/website/docs/r/config_delivery_channel.html.markdown
@@ -82,6 +82,7 @@ The following arguments are supported:
 * `name` - (Optional) The name of the delivery channel. Defaults to `default`. Changing it recreates the resource.
 * `s3_bucket_name` - (Required) The name of the S3 bucket used to store the configuration history.
 * `s3_key_prefix` - (Optional) The prefix for the specified S3 bucket.
+* `s3_kms_key_arn` - (Optional) The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
 * `sns_topic_arn` - (Optional) The ARN of the SNS topic that AWS Config delivers notifications to.
 * `snapshot_delivery_properties` - (Optional) Options for how AWS Config delivers configuration snapshots. See below