diff --git a/modules/essentials/data.tf b/modules/essentials/data.tf
index 378e8c5..eabb9ec 100644
--- a/modules/essentials/data.tf
+++ b/modules/essentials/data.tf
@@ -30,9 +30,11 @@ data "aws_iam_policy_document" "fluent_bit" {
     resources = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*"]
 
     actions = [
+      "logs:CreateLogGroup",
       "logs:CreateLogStream",
       "logs:DescribeLogGroups",
       "logs:DescribeLogStreams",
+      "logs:PutRetentionPolicy",
     ]
   }
 }