diff --git a/s3/config.go b/s3/config.go
index 2d6baf92..5da6d5d3 100644
--- a/s3/config.go
+++ b/s3/config.go
@@ -50,6 +50,22 @@ const (
 	// Its default value is "false", to enable set to "true".
 	// This feature is useful for s3-compatible blob stores -- ie minio.
 	ConfigV2Signing = "v2_signing"
+
+	// ConfigMFADelete specifies whether MFA delete is enabled in the bucket versioning configuration.
+	// This element is only returned if the bucket has been configured with MFA
+	// delete. If the bucket has never been so configured, this element is not returned.
+	// By default 'Disabled'
+	ConfigMFADelete = "mfa_delete"
+
+	// ConfigVersioningStatus specifies the versioning state of the bucket. By default 'Enabled'
+	ConfigVersioningStatus = "versioning"
+
+	// ConfigKMSMasterKeyID specifies the KMS key ID, when ConfigKServerSideEncryption is set to KMS
+	ConfigKMSMasterKeyID = "kms_master_key_id"
+
+	// ConfigServerSideEncryptionAlgorithm is the algorithm to use for encryption (AES256 | aws:kms)
+	// https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html
+	ConfigServerSideEncryptionAlgorithm = "server_side_encryption_algorithm"
 )
 
 func init() {
diff --git a/s3/location.go b/s3/location.go
index 1186161b..b7588356 100644
--- a/s3/location.go
+++ b/s3/location.go
@@ -21,6 +21,45 @@ type location struct {
 	client         *s3.S3
 }
 
+// ConfigureVersioning configures versioning on the S3 bucket
+func (l *location) ConfigureVersioning(containerName string) error {
+	vc := &s3.VersioningConfiguration{}
+	if mfa, mfaSet := l.config.Config(ConfigMFADelete); mfaSet && mfa != "" {
+		vc.MFADelete = aws.String(mfa)
+	} else {
+		// by default disable MFA delete
+		vc.MFADelete = aws.String("Disabled")
+	}
+	if sta, staSet := l.config.Config(ConfigVersioningStatus); staSet && sta != "" {
+		vc.Status = aws.String(sta)
+	} else {
+		// by default enable versioning
+		vc.Status = aws.String("Enabled")
+	}
+	input := &s3.PutBucketVersioningInput{
+		Bucket:                  aws.String(containerName),
+		VersioningConfiguration: vc,
+	}
+	_, err := l.client.PutBucketVersioning(input)
+	return err
+}
+
+// ConfigureEncryption configures versioning on the S3 bucket
+func (l *location) ConfigureEncryption(containerName string) error {
+	sseCfg := &s3.ServerSideEncryptionByDefault{}
+	if alg, algSet := l.config.Config(ConfigServerSideEncryptionAlgorithm); algSet && alg != "" {
+		sseCfg.SSEAlgorithm = aws.String(alg)
+	}
+	if kms, kmsSet := l.config.Config(ConfigKMSMasterKeyID); kmsSet && kms != "" {
+		sseCfg.KMSMasterKeyID = aws.String(kms)
+	}
+	rules := []*s3.ServerSideEncryptionRule{{ApplyServerSideEncryptionByDefault: sseCfg}}
+	serverConfig := &s3.ServerSideEncryptionConfiguration{Rules: rules}
+	input := &s3.PutBucketEncryptionInput{Bucket: aws.String(containerName), ServerSideEncryptionConfiguration: serverConfig}
+	_, err := l.client.PutBucketEncryption(input)
+	return err
+}
+
 // CreateContainer creates a new container, in this case an S3 bucket.
 // The bare minimum needed is a container name, but there are many other
 // options that can be provided.
@@ -34,7 +73,7 @@ func (l *location) CreateContainer(containerName string) (stow.Container, error)
 		return nil, errors.Wrap(err, "CreateContainer, creating the bucket")
 	}
 
-	region, _ := l.config.Config("region")
+	region, _ := l.config.Config(ConfigRegion)
 
 	newContainer := &container{
 		name:           containerName,