diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index ac9f25758..95432d0e5 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -109,6 +109,6 @@ data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
       "logs:DescribeLogStreams",
     ]
 
-    resources = ["*"]
+    resources = ["${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}/*"]
   }
 }