diff --git a/cloudtrail/cloudwatch.tf b/cloudtrail/cloudwatch.tf
index f885d17..6d2b6d3 100644
--- a/cloudtrail/cloudwatch.tf
+++ b/cloudtrail/cloudwatch.tf
@@ -1,3 +1,9 @@
+locals {
+  cloudwatch_prefix    = replace(aws_cloudwatch_log_group.this.arn, "/:\\*$/", "")
+  cloudwatch_suffix    = format("%v_CloudTrail_%v", local.account_id, local.region)
+  cloudwatch_resources = join(":", list(local.cloudwatch_prefix, "log-stream", local.cloudwatch_suffix))
+}
+
 data "aws_iam_policy_document" "cloudwatch_policy" {
   statement {
     sid       = "AWSCloudTrailCreateLogStream"
@@ -23,7 +29,8 @@ resource "aws_cloudwatch_log_group" "this" {
   retention_in_days = 7
 
   tags = merge(
-    local.common_tags,
+    local.base_tags,
+    var.tags,
     map("Name", local.name),
   )
 }