diff --git a/packages/@aws-cdk/aws-codebuild/lib/project.ts b/packages/@aws-cdk/aws-codebuild/lib/project.ts
index 17610638cd83e..0c09011bde2dc 100644
--- a/packages/@aws-cdk/aws-codebuild/lib/project.ts
+++ b/packages/@aws-cdk/aws-codebuild/lib/project.ts
@@ -903,9 +903,9 @@ export class Project extends ProjectBase {
     this.addToRolePolicy(new iam.PolicyStatement()
       .addResource(`arn:aws:ec2:${Aws.region}:${Aws.accountId}:network-interface/*`)
       .addCondition('StringEquals', {
-        "ec2:Subnet": [
-          `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/[[subnets]]`
-        ],
+        "ec2:Subnet": props.vpc
+          .selectSubnets(props.subnetSelection).subnetIds
+          .map(si => `arn:aws:ec2:${Aws.region}:${Aws.accountId}:subnet/${si}`),
         "ec2:AuthorizedService": "codebuild.amazonaws.com"
       })
       .addAction('ec2:CreateNetworkInterfacePermission'));
diff --git a/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json b/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json
index 2bd7159044e5b..0a42b9adfb276 100644
--- a/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json
+++ b/packages/@aws-cdk/aws-codebuild/test/integ.project-vpc.expected.json
@@ -312,7 +312,10 @@
                           {
                             "Ref": "AWS::AccountId"
                           },
-                          ":subnet/[[subnets]]"
+                          ":subnet/",
+                          {
+                            "Ref": "MyVPCPrivateSubnet1Subnet641543F4"
+                          }
                         ]
                       ]
                     }