Configuring VPC flow logs to publish to CloudWatch logs will require an IAM role to publish the logs to the specified log group in CloudWatch. Amazon Web Services provides great documentation on this which may be found here.
The IAM policy for the role must at a minimum include the following permission.