diff --git a/infra/cloudwatch.tf b/infra/cloudwatch.tf
new file mode 100644
index 0000000..e12c088
--- /dev/null
+++ b/infra/cloudwatch.tf
@@ -0,0 +1,19 @@
+locals {
+  log_group_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/lambda/${var.lambda_function_name}:*"
+}
+
+data aws_iam_policy_document cloudwatch_logs {
+  statement {
+    sid = "createLogGroup"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+
+    resources = [local.log_group_arn]
+
+  }
+
+}
diff --git a/infra/data.tf b/infra/data.tf
new file mode 100644
index 0000000..f4693af
--- /dev/null
+++ b/infra/data.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
diff --git a/infra/lambda.tf b/infra/lambda.tf
index 2c81a23..22e5c41 100644
--- a/infra/lambda.tf
+++ b/infra/lambda.tf
@@ -31,4 +31,10 @@ data aws_iam_policy_document assumption_policy {
 resource aws_iam_role iam_for_lambda {
   name = "${var.lambda_function_name}-executor"
   assume_role_policy = data.aws_iam_policy_document.assumption_policy.json
+
+
+  inline_policy {
+    name   = "allow-cloudwatch-logs"
+    policy = data.aws_iam_policy_document.cloudwatch_logs.json
+  }
 }