diff --git a/packages/@aws-cdk/aws-glue/lib/table.ts b/packages/@aws-cdk/aws-glue/lib/table.ts
index 59b5e551ebc03..76971993b581b 100644
--- a/packages/@aws-cdk/aws-glue/lib/table.ts
+++ b/packages/@aws-cdk/aws-glue/lib/table.ts
@@ -297,7 +297,7 @@ export class Table extends Resource implements ITable {
   public grantRead(grantee: iam.IGrantable): iam.Grant {
     const ret = this.grant(grantee, readPermissions);
     if (this.encryptionKey && this.encryption === TableEncryption.CLIENT_SIDE_KMS) { this.encryptionKey.grantDecrypt(grantee); }
-    this.bucket.grantRead(grantee, this.s3Prefix);
+    this.bucket.grantRead(grantee, this.getS3PrefixForGrant());
     return ret;
   }
 
@@ -309,7 +309,7 @@ export class Table extends Resource implements ITable {
   public grantWrite(grantee: iam.IGrantable): iam.Grant {
     const ret = this.grant(grantee, writePermissions);
     if (this.encryptionKey && this.encryption === TableEncryption.CLIENT_SIDE_KMS) { this.encryptionKey.grantEncrypt(grantee); }
-    this.bucket.grantWrite(grantee, this.s3Prefix);
+    this.bucket.grantWrite(grantee, this.getS3PrefixForGrant());
     return ret;
   }
 
@@ -321,7 +321,7 @@ export class Table extends Resource implements ITable {
   public grantReadWrite(grantee: iam.IGrantable): iam.Grant {
     const ret = this.grant(grantee, [...readPermissions, ...writePermissions]);
     if (this.encryptionKey && this.encryption === TableEncryption.CLIENT_SIDE_KMS) { this.encryptionKey.grantEncryptDecrypt(grantee); }
-    this.bucket.grantReadWrite(grantee, this.s3Prefix);
+    this.bucket.grantReadWrite(grantee, this.getS3PrefixForGrant());
     return ret;
   }
 
@@ -332,6 +332,10 @@ export class Table extends Resource implements ITable {
       actions,
     });
   }
+
+  private getS3PrefixForGrant() {
+    return this.s3Prefix + '*';
+  }
 }
 
 function validateSchema(columns: Column[], partitionKeys?: Column[]): void {
diff --git a/packages/@aws-cdk/aws-glue/test/integ.table.expected.json b/packages/@aws-cdk/aws-glue/test/integ.table.expected.json
index de662c9fea636..a7e41f98f7e82 100644
--- a/packages/@aws-cdk/aws-glue/test/integ.table.expected.json
+++ b/packages/@aws-cdk/aws-glue/test/integ.table.expected.json
@@ -537,7 +537,7 @@
                           "Arn"
                         ]
                       },
-                      "/"
+                      "/*"
                     ]
                   ]
                 }
@@ -614,7 +614,7 @@
                           "Arn"
                         ]
                       },
-                      "/"
+                      "/*"
                     ]
                   ]
                 }
@@ -726,7 +726,7 @@
                           "Arn"
                         ]
                       },
-                      "/"
+                      "/*"
                     ]
                   ]
                 }
diff --git a/packages/@aws-cdk/aws-glue/test/table.test.ts b/packages/@aws-cdk/aws-glue/test/table.test.ts
index 7da75572f4ffb..4cad8b4b0efd3 100644
--- a/packages/@aws-cdk/aws-glue/test/table.test.ts
+++ b/packages/@aws-cdk/aws-glue/test/table.test.ts
@@ -1240,7 +1240,7 @@ test('grants: read only', () => {
                       'Arn',
                     ],
                   },
-                  '/',
+                  '/*',
                 ],
               ],
             },
@@ -1343,7 +1343,7 @@ test('grants: write only', () => {
                       'Arn',
                     ],
                   },
-                  '/',
+                  '/*',
                 ],
               ],
             },
@@ -1456,7 +1456,7 @@ test('grants: read and write', () => {
                       'Arn',
                     ],
                   },
-                  '/',
+                  '/*',
                 ],
               ],
             },