diff --git a/.changelog/22891.txt b/.changelog/22891.txt
new file mode 100644
index 000000000000..29f0ae9cdcc2
--- /dev/null
+++ b/.changelog/22891.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+resource/aws_ec2_client_vpn_endpoint: `connection_log_options.cloudwatch_log_stream` argument is Computed, preventing spurious resource diffs
+```
\ No newline at end of file
diff --git a/internal/service/ec2/client_vpn_endpoint.go b/internal/service/ec2/client_vpn_endpoint.go
index 408a3d68068d..347df2977b31 100644
--- a/internal/service/ec2/client_vpn_endpoint.go
+++ b/internal/service/ec2/client_vpn_endpoint.go
@@ -134,6 +134,7 @@ func ResourceClientVPNEndpoint() *schema.Resource {
 						"cloudwatch_log_stream": {
 							Type:     schema.TypeString,
 							Optional: true,
+							Computed: true,
 						},
 						"enabled": {
 							Type:     schema.TypeBool,
diff --git a/internal/service/ec2/client_vpn_endpoint_test.go b/internal/service/ec2/client_vpn_endpoint_test.go
index b4a00cf43ad4..fa09f58ebb09 100644
--- a/internal/service/ec2/client_vpn_endpoint_test.go
+++ b/internal/service/ec2/client_vpn_endpoint_test.go
@@ -450,6 +450,16 @@ func testAccClientVPNEndpoint_withConnectionLogOptions(t *testing.T) {
 		Providers:    acctest.Providers,
 		CheckDestroy: testAccCheckClientVPNEndpointDestroy,
 		Steps: []resource.TestStep{
+			{
+				Config: testAccEc2ClientVpnEndpointConfigWithConnectionLogOptions(rName, 0),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckClientVPNEndpointExists(resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, "connection_log_options.#", "1"),
+					resource.TestCheckResourceAttrPair(resourceName, "connection_log_options.0.cloudwatch_log_group", logGroupResourceName, "name"),
+					resource.TestCheckResourceAttrSet(resourceName, "connection_log_options.0.cloudwatch_log_stream"),
+					resource.TestCheckResourceAttr(resourceName, "connection_log_options.0.enabled", "true"),
+				),
+			},
 			{
 				Config: testAccEc2ClientVpnEndpointConfigWithConnectionLogOptions(rName, 1),
 				Check: resource.ComposeTestCheckFunc(
@@ -856,7 +866,8 @@ resource "aws_cloudwatch_log_stream" "test2" {
 }
 
 locals {
-  index = %[2]d
+  log_stream_index = %[2]d
+  log_stream       = local.log_stream_index == 0 ? null : (local.log_stream_index == 1 ? aws_cloudwatch_log_stream.test1.name : aws_cloudwatch_log_stream.test2.name)
 }
 
 resource "aws_ec2_client_vpn_endpoint" "test" {
@@ -871,7 +882,7 @@ resource "aws_ec2_client_vpn_endpoint" "test" {
   connection_log_options {
     enabled               = true
     cloudwatch_log_group  = aws_cloudwatch_log_group.test.name
-    cloudwatch_log_stream = local.index == 1 ? aws_cloudwatch_log_stream.test1.name : aws_cloudwatch_log_stream.test2.name
+    cloudwatch_log_stream = local.log_stream
   }
 
   tags = {