diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
index 34755353fb202..156fe5de9fab3 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
@@ -77,6 +77,8 @@ const securityGroup2 = new ec2.SecurityGroup(this, 'SecurityGroup2', { vpc });
 lb.addSecurityGroup(securityGroup2);
 ```
 
+NOTE: Enabling ALB logs using an encryption enabled Amazon S3 Bucket is currently unsupported
+
 ### Conditions
 
 It's possible to route traffic to targets based on conditions in the incoming
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
index 10291f2369849..b983f7a4ff748 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
@@ -1,5 +1,6 @@
 import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as s3 from '@aws-cdk/aws-s3';
 import * as cxschema from '@aws-cdk/cloud-assembly-schema';
 import { Duration, Lazy, Names, Resource } from '@aws-cdk/core';
 import * as cxapi from '@aws-cdk/cx-api';
@@ -415,6 +416,19 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
       ...props,
     }).attachTo(this);
   }
+
+  /**
+   * Enable access logging for this load balancer.
+   *
+   * A region must be specified on the stack containing the load balancer; you cannot enable logging on
+   * environment-agnostic stacks. See https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+   */
+  public logAccessLogs(bucket: s3.IBucket, prefix?: string) {
+    if (bucket.encryptionKey) {
+      throw new Error('Encryption key detected. Bucket encryption using KMS keys is unsupported');
+    }
+    return super.logAccessLogs(bucket, prefix);
+  }
 }
 
 /**
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json b/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json
index cbe5644a089fb..0789b71bb1180 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/package.json
@@ -100,6 +100,7 @@
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "constructs": "^10.0.0"
   },
   "homepage": "https://github.com/aws/aws-cdk",
@@ -115,6 +116,7 @@
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
+    "@aws-cdk/aws-kms": "0.0.0",
     "constructs": "^10.0.0"
   },
   "engines": {
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
index 61c8dc470545f..2b4ebdd3e1018 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts
@@ -1,6 +1,7 @@
 import { Match, Template } from '@aws-cdk/assertions';
 import { Metric } from '@aws-cdk/aws-cloudwatch';
 import * as ec2 from '@aws-cdk/aws-ec2';
+import * as kms from '@aws-cdk/aws-kms';
 import * as s3 from '@aws-cdk/aws-s3';
 import * as cdk from '@aws-cdk/core';
 import * as elbv2 from '../../lib';
@@ -147,15 +148,31 @@ describe('tests', () => {
 
   describe('logAccessLogs', () => {
 
-    function loggingSetup(): { stack: cdk.Stack, bucket: s3.Bucket, lb: elbv2.ApplicationLoadBalancer } {
+    function loggingSetup(withEncryption: boolean = false): { stack: cdk.Stack, bucket: s3.Bucket, lb: elbv2.ApplicationLoadBalancer } {
       const app = new cdk.App();
       const stack = new cdk.Stack(app, undefined, { env: { region: 'us-east-1' } });
       const vpc = new ec2.Vpc(stack, 'Stack');
-      const bucket = new s3.Bucket(stack, 'AccessLoggingBucket');
+      let bucketProps = {};
+      if (withEncryption) {
+        const myKey = new kms.Key(stack, 'MyKey');
+        bucketProps = { ...bucketProps, encryption: s3.BucketEncryption.KMS, encryptionKey: myKey };
+      }
+      const bucket = new s3.Bucket(stack, 'AccessLoggingBucket', { ...bucketProps });
       const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
       return { stack, bucket, lb };
     }
 
+    test('should throw an error when a kms bucketkey is detected', () => {
+      // GIVEN
+      const { bucket, lb } = loggingSetup(true);
+
+      // WHEN
+      const logAccessLogFunctionTest = () => lb.logAccessLogs(bucket);
+
+      // THEN
+      expect(logAccessLogFunctionTest).toThrow('Encryption key detected. Bucket encryption using KMS keys is unsupported');
+    });
+
     test('sets load balancer attributes', () => {
       // GIVEN
       const { stack, bucket, lb } = loggingSetup();