diff --git a/security_group.tf b/security_group.tf
index c65d19b..727fa66 100644
--- a/security_group.tf
+++ b/security_group.tf
@@ -10,7 +10,7 @@ resource "aws_security_group" "aws-demo-security-group" {
     to_port     = 0
     from_port   = 0
     protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+    cidr_blocks = ["<cidr>"]
   }
 
   egress {
diff --git a/vpc.tf b/vpc.tf
index 6deed7d..c18143c 100644
--- a/vpc.tf
+++ b/vpc.tf
@@ -11,4 +11,57 @@ resource "aws_vpc" "demo for Paul H" {
   tags = {
     Name = "${var.name}-aws-demo"
   }
+}
+resource "aws_flow_log" "aws-demo" {
+  vpc_id          = "${aws_vpc.aws-demo.id}"
+  iam_role_arn    = "<iam_role_arn>"
+  log_destination = "${aws_s3_bucket.aws-demo.arn}"
+  traffic_type    = "ALL"
+
+  tags = {
+    GeneratedBy      = "Accurics"
+    ParentResourceId = "aws_vpc.aws-demo"
+  }
+}
+resource "aws_s3_bucket" "aws-demo" {
+  bucket        = "aws-demo_flow_log_s3_bucket"
+  acl           = "private"
+  force_destroy = true
+
+  versioning {
+    enabled    = true
+    mfa_delete = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+}
+resource "aws_s3_bucket_policy" "aws-demo" {
+  bucket = "${aws_s3_bucket.aws-demo.id}"
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "aws-demo-restrict-access-to-users-or-roles",
+      "Effect": "Allow",
+      "Principal": [
+        {
+          "AWS": [
+            <principal_arn>
+          ]
+        }
+      ],
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::${aws_s3_bucket.aws-demo.id}/*"
+    }
+  ]
+}
+POLICY
 }
\ No newline at end of file