diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 1b18343..ecce90c 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -2,6 +2,8 @@ provider "aws" {
   region = var.region
 }
 
+#S3 access controls, policies and logging should be created as seperate terraform resources
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-specify-public-access-block
 resource "aws_s3_bucket" "default" {
   count = module.this.enabled ? 1 : 0
 
diff --git a/main.tf b/main.tf
index 61223b1..0ef48e5 100644
--- a/main.tf
+++ b/main.tf
@@ -141,6 +141,8 @@ data "aws_iam_policy_document" "prevent_unencrypted_uploads" {
   }
 }
 
+#S3 access controls, policies and logging are defined as seperate terraform resources below
+#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-ignore-public-acls tfsec:ignore:aws-s3-no-public-buckets tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning tfsec:ignore:aws-s3-specify-public-access-block
 resource "aws_s3_bucket" "default" {
   count = local.bucket_enabled ? 1 : 0
 
@@ -241,7 +243,7 @@ resource "aws_dynamodb_table" "with_server_side_encryption" {
   # https://www.terraform.io/docs/backends/types/s3.html#dynamodb_table
   hash_key = "LockID"
 
-  server_side_encryption {
+  server_side_encryption { #tfsec:ignore:aws-dynamodb-table-customer-key
     enabled = true
   }