diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf b/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
index 6dc7b127b6..2c86c5441a 100644
--- a/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
+++ b/terraform/addons/byo-firehose-logging-destination/firehose/outputs.tf
@@ -6,6 +6,8 @@ output "fleet_extra_environment_variables" {
     FLEET_FIREHOSE_REGION              = var.region
     FLEET_OSQUERY_STATUS_LOG_PLUGIN    = "firehose"
     FLEET_OSQUERY_RESULT_LOG_PLUGIN    = "firehose"
+    FLEET_ACTIVITY_ENABLE_AUDIT_LOG    = length(var.firehose_audit_name) > 0 ? "true" : "false"
+    FLEET_ACTIVITY_AUDIT_LOG_PLUGIN    = "firehose" # only has an effect if ^ is true
   }
 }
 
diff --git a/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf b/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
index 4927b04600..c7c8161e34 100644
--- a/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
+++ b/terraform/addons/byo-firehose-logging-destination/firehose/variables.tf
@@ -13,6 +13,11 @@ variable "firehose_status_name" {
   description = "name of the firehose delivery stream for osquery status logs"
 }
 
+variable "firehose_audit_name" {
+  type        = string
+  description = "name of the firehose delivery stream for fleet audit logs"
+}
+
 variable "region" {
   type        = string
   description = "region the target firehose delivery stream is in"
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf b/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
index 88d210484d..7f9d56096d 100644
--- a/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/firehose.tf
@@ -30,10 +30,13 @@ data "aws_iam_policy_document" "firehose_policy" {
   statement {
     effect  = "Allow"
     actions = ["logs:PutLogEvents"]
-    resources = [
+    resources = concat([
       "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_results_name}:*",
-      "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_status_name}:*"
-    ]
+      "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_status_name}:*",
+      ],
+      var.firehose_status_name == "" ? [] : [
+        "arn:aws:logs:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:log-group:/aws/kinesisfirehose/${var.firehose_audit_name}:*"
+    ])
   }
 
   statement {
@@ -92,4 +95,20 @@ resource "aws_kinesis_firehose_delivery_stream" "osquery_status" {
     role_arn   = aws_iam_role.firehose.arn
     bucket_arn = aws_s3_bucket.destination.arn
   }
-}
\ No newline at end of file
+}
+
+resource "aws_kinesis_firehose_delivery_stream" "fleet_audit" {
+  count       = length(var.firehose_audit_name) > 0 ? 1 : 0
+  name        = var.firehose_audit_name
+  destination = "s3"
+
+  server_side_encryption {
+    key_arn = aws_kms_key.firehose.arn
+  }
+
+  s3_configuration {
+    prefix     = var.audit_prefix
+    role_arn   = aws_iam_role.firehose.arn
+    bucket_arn = aws_s3_bucket.destination.arn
+  }
+}
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf b/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
index 60c814101c..596ef0a73f 100644
--- a/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/iam.tf
@@ -4,7 +4,7 @@ resource "aws_iam_role" "fleet_role" {
 
 data "aws_iam_policy_document" "assume_role" {
   statement {
-    effect = "Allow"
+    effect  = "Allow"
     actions = ["sts:AssumeRole"]
     principals {
       identifiers = [var.fleet_iam_role_arn]
@@ -21,7 +21,10 @@ data "aws_iam_policy_document" "firehose" {
       "firehose:PutRecord",
       "firehose:PutRecordBatch",
     ]
-    resources = [aws_kinesis_firehose_delivery_stream.osquery_results.arn, aws_kinesis_firehose_delivery_stream.osquery_status.arn]
+    resources = [
+      aws_kinesis_firehose_delivery_stream.osquery_results.arn,
+      aws_kinesis_firehose_delivery_stream.osquery_status.arn
+    ]
   }
 
   statement {
@@ -42,4 +45,39 @@ resource "aws_iam_policy" "fleet_firehose" {
 resource "aws_iam_role_policy_attachment" "fleet_firehose" {
   policy_arn = aws_iam_policy.fleet_firehose.arn
   role       = aws_iam_role.fleet_role.name
+}
+
+data "aws_iam_policy_document" "firehose_audit" {
+  count = length(var.firehose_audit_name) > 0 ? 1 : 0
+  statement {
+    effect = "Allow"
+    actions = [
+      "firehose:DescribeDeliveryStream",
+      "firehose:PutRecord",
+      "firehose:PutRecordBatch",
+    ]
+    resources = [
+      aws_kinesis_firehose_delivery_stream.fleet_audit.*.arn
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:Decrypt",
+      "kms:GenerateDataKey"
+    ]
+    resources = [aws_kms_key.firehose.arn]
+  }
+}
+
+resource "aws_iam_policy" "fleet_firehose_audit" {
+  count  = length(var.firehose_audit_name) > 0 ? 1 : 0
+  policy = data.aws_iam_policy_document.firehose_audit.*.json
+}
+
+resource "aws_iam_role_policy_attachment" "fleet_firehose_audit" {
+  count      = length(var.firehose_audit_name) > 0 ? 1 : 0
+  policy_arn = aws_iam_policy.fleet_firehose_audit.*.arn
+  role       = aws_iam_role.fleet_role.name
 }
\ No newline at end of file
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf b/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
index 546627f2c6..61c7692faf 100644
--- a/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/s3.tf
@@ -31,4 +31,4 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "destination" {
       sse_algorithm = "aws:kms"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf b/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
index 9420df5657..c46beea668 100644
--- a/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
+++ b/terraform/addons/byo-firehose-logging-destination/target-account/variables.tf
@@ -15,6 +15,12 @@ variable "firehose_status_name" {
   default     = "osquery_status"
 }
 
+variable "firehose_audit_name" {
+  type        = string
+  description = "firehose delivery stream name for Fleet audit logs"
+  default     = ""
+}
+
 variable "fleet_iam_role_arn" {
   type        = string
   description = "the arn of the fleet role that firehose will assume to write data to your bucket"
@@ -28,4 +34,9 @@ variable "results_prefix" {
 variable "status_prefix" {
   default     = "status/"
   description = "s3 object prefix to give status logs"
+}
+
+variable "audit_prefix" {
+  default     = "audit/"
+  description = "s3 object prefix to give Fleet audit logs"
 }
\ No newline at end of file