diff --git a/tests/integration/targets/s3_bucket/inventory b/tests/integration/targets/s3_bucket/inventory
index 93963af4c94..b79b5d6cc73 100644
--- a/tests/integration/targets/s3_bucket/inventory
+++ b/tests/integration/targets/s3_bucket/inventory
@@ -6,6 +6,7 @@ complex
 dotted
 tags
 encryption_kms
+encryption_bucket_key
 encryption_sse
 public_access
 acl
diff --git a/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml
new file mode 100644
index 00000000000..37c6800ce98
--- /dev/null
+++ b/tests/integration/targets/s3_bucket/roles/s3_bucket/tasks/encryption_bucket_key.yml
@@ -0,0 +1,94 @@
+---
+- module_defaults:
+    group/aws:
+      aws_access_key: "{{ aws_access_key }}"
+      aws_secret_key: "{{ aws_secret_key }}"
+      security_token: "{{ security_token | default(omit) }}"
+      region: "{{ aws_region }}"
+  block:
+    - set_fact:
+        local_bucket_name: "{{ bucket_name | hash('md5')}}e-kms"
+    # ============================================================
+
+    - name: 'Create a simple bucket'
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: present
+      register: output
+
+    - name: 'Enable aws:kms encryption with KMS master key'
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: present
+        encryption: "aws:kms"
+      register: output
+
+    - name: 'Enable bucket key for bucket with aws:kms encryption'
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: present
+        encryption: "aws:kms"
+        encryption_bucket_key: true
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - output.encryption
+          - output.encryption.SSEAlgorithm == 'aws:kms'
+
+    - name: 'Re-enable bucket key for bucket with aws:kms encryption (idempotent)'
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        encryption_bucket_key: true
+      register: output
+
+    - assert:
+        that:
+          - not output.changed
+          - output.encryption
+          - output.encryption.SSEAlgorithm == 'aws:kms'
+
+    # ============================================================
+
+    - name: Disable encryption from bucket
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        encryption_bucket_key: true
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+          - not output.encryption
+
+    - name: Disable encryption from bucket (idempotent)
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        encryption_bucket_key: true
+      register: output
+
+    - assert:
+        that:
+          - output is not changed
+          - not output.encryption
+
+    # ============================================================
+
+    - name: Delete encryption test s3 bucket
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: absent
+      register: output
+
+    - assert:
+        that:
+          - output.changed
+
+  # ============================================================
+  always:
+    - name: Ensure all buckets are deleted
+      s3_bucket:
+        name: '{{ local_bucket_name }}'
+        state: absent
+      ignore_errors: yes