diff --git a/lib/local-constructs/cloudwatch-to-s3/index.ts b/lib/local-constructs/cloudwatch-to-s3/index.ts
index a66fcf02f1..0d7aae9408 100644
--- a/lib/local-constructs/cloudwatch-to-s3/index.ts
+++ b/lib/local-constructs/cloudwatch-to-s3/index.ts
@@ -35,7 +35,7 @@ export class CloudWatchToS3 extends Construct {
 
     firehoseRole.addToPolicy(
       new PolicyStatement({
-        actions: ["logs:PutLogEvents"],
+        actions: ["logs:PutLogEvents", "logs:CreateLogGroup"],
         resources: [
           `arn:aws:logs:${cdk.Stack.of(this).region}:${
             cdk.Stack.of(this).account