diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 831c6f9..11feee5 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -3,7 +3,7 @@
 
 provider "registry.terraform.io/hashicorp/aws" {
   version     = "5.39.0"
-  constraints = ">= 4.0.0"
+  constraints = ">= 5.0.0"
   hashes = [
     "h1:isoOv/JipnnPD3j8Df6XwGU1i4egjlygrgBv0RfsZ7g=",
     "zh:01e405306470ed784bc9d38dbaeff394bd2c0f7d58e5592c5d0165c87d84e4b0",
diff --git a/main.tf b/main.tf
index f902da4..b7da3fd 100644
--- a/main.tf
+++ b/main.tf
@@ -14,15 +14,16 @@ resource "aws_s3_bucket" "terraform_state" {
 }
 
 resource "aws_s3_bucket_versioning" "enabled" {
-  bucket = aws_s3_bucket.terraform_state.id
+  bucket = aws_s3_bucket.terraform_state.bucket
   versioning_configuration {
     status = "Enabled"
+    mfa_delete = "Disabled"
   }
   
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
-  bucket = aws_s3_bucket.terraform_state.id
+  bucket = aws_s3_bucket.terraform_state.bucket
 
   rule {
     apply_server_side_encryption_by_default {
@@ -33,7 +34,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 }
 
 resource "aws_s3_bucket_public_access_block" "public_access" {
-  bucket                  = aws_s3_bucket.terraform_state.id
+  bucket                  = aws_s3_bucket.terraform_state.bucket
   block_public_acls       = true
   block_public_policy     = true
   ignore_public_acls      = true
@@ -41,15 +42,40 @@ resource "aws_s3_bucket_public_access_block" "public_access" {
   
 }
 
+# DynamoBD CMK
+resource "aws_kms_key" "dynamodb" {
+  description         = "DynamoDB Table Server side encryption"
+  enable_key_rotation = true
+  key_usage           = "ENCRYPT_DECRYPT"
+
+}
+
+resource "aws_kms_alias" "dynamodb" {
+  name          = format("alias/%s-dynamodb-CMK", var.resource_name_prefix,)
+  target_key_id = aws_kms_key.dynamodb.key_id
+}
+
+
 resource "aws_dynamodb_table" "terraform_locks" {
   name         = "omnicognate-terraform-locks"
   billing_mode = "PAY_PER_REQUEST"
   hash_key     = "LockID"
+  depends_on = [ aws_s3_bucket_versioning.enabled ]
 
   attribute {
     name = "LockID"
     type = "S"
   }
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.dynamodb.arn
+  }
+  point_in_time_recovery {
+    enabled = true
+  }
+  lifecycle {
+    prevent_destroy = true
+  }
   tags = merge(
     { Name = "${var.resource_name_prefix}-aws_dynamodb_table" },
     var.common_tags,
diff --git a/providers.tf b/providers.tf
index 09ded84..cdafd11 100644
--- a/providers.tf
+++ b/providers.tf
@@ -8,7 +8,7 @@ terraform {
     required_providers {
         aws = {
             source  = "hashicorp/aws"
-            version = ">= 4.0.0"
+            version = ">= 5.0.0"
         }
     }
 }
@@ -16,7 +16,7 @@ provider "aws" {
     region = var.aws_region
     # using aws-vault to assume a role
     assume_role {
-        duration = "1h" 
+        duration = "3600s" 
         role_arn = var.role_arn 
   }
 }
diff --git a/s3remote.tfplan b/s3remote.tfplan
new file mode 100644
index 0000000..844675a
Binary files /dev/null and b/s3remote.tfplan differ