diff --git a/main.tf b/main.tf
index 03d6b25b..05fbfba1 100644
--- a/main.tf
+++ b/main.tf
@@ -326,15 +326,47 @@ resource "ibm_is_public_gateway" "gateway" {
 # Add VPC to Flow Logs
 ##############################################################################
 
-# Create authorization policy to allow VPC to access COS instance
+# Create authorization policy to allow VPC to access COS Bucket
 resource "ibm_iam_authorization_policy" "policy" {
   count = (var.enable_vpc_flow_logs) ? ((var.create_authorization_policy_vpc_to_cos) ? 1 : 0) : 0
 
-  source_service_name         = "is"
-  source_resource_type        = "flow-log-collector"
-  target_service_name         = "cloud-object-storage"
-  target_resource_instance_id = var.existing_cos_instance_guid
-  roles                       = ["Writer"]
+  source_service_name  = "is"
+  source_resource_type = "flow-log-collector"
+  roles                = ["Writer"]
+
+  resource_attributes {
+    name     = "accountId"
+    operator = "stringEquals"
+    value    = data.ibm_iam_account_settings.iam_account_settings.account_id
+  }
+
+  resource_attributes {
+    name     = "serviceName"
+    operator = "stringEquals"
+    value    = "cloud-object-storage"
+  }
+
+  resource_attributes {
+    name     = "serviceInstance"
+    operator = "stringEquals"
+    value    = var.existing_cos_instance_guid
+  }
+
+  resource_attributes {
+    name     = "resourceType"
+    operator = "stringEquals"
+    value    = "bucket"
+  }
+
+  resource_attributes {
+    name     = "resource"
+    operator = "stringEquals"
+    value    = var.existing_storage_bucket_name
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 # Create VPC flow logs collector
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 1bd22a76..70feb0ad 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -33,7 +33,7 @@ locals {
   kms_service_name                         = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? module.existing_kms_key_crn_parser[0].service_name : module.existing_kms_instance_crn_parser[0].service_name) : null
   cos_kms_key_crn                          = var.kms_encryption_enabled_bucket ? (length(module.existing_kms_key_crn_parser) > 0 ? var.existing_flow_logs_bucket_kms_key_crn : module.kms[0].keys[format("%s.%s", local.kms_key_ring_name, local.kms_key_name)].crn) : null
   create_cos_kms_iam_auth_policy           = var.enable_vpc_flow_logs && var.kms_encryption_enabled_bucket && !var.skip_cos_kms_iam_auth_policy
-  create_cross_account_cos_kms_auth_policy = (local.create_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null) ? false : (local.cos_account_id != local.kms_account_id)
+  create_cross_account_cos_kms_auth_policy = (local.create_cos_kms_iam_auth_policy && var.ibmcloud_kms_api_key == null) ? false : (local.kms_account_id != null ? (local.cos_account_id != local.kms_account_id) : false)
 
   # configuration for the flow logs bucket
   bucket_config = [{
@@ -43,7 +43,7 @@ locals {
     kms_encryption_enabled        = var.kms_encryption_enabled_bucket
     kms_guid                      = local.kms_guid
     kms_key_crn                   = local.cos_kms_key_crn
-    skip_iam_authorization_policy = local.create_cross_account_cos_kms_auth_policy || var.skip_cos_kms_iam_auth_policy
+    skip_iam_authorization_policy = local.create_cross_account_cos_kms_auth_policy || !local.create_cos_kms_iam_auth_policy
     management_endpoint_type      = var.management_endpoint_type_for_bucket
     storage_class                 = var.cos_bucket_class
     resource_instance_id          = var.existing_cos_instance_crn