diff --git a/.changelog/38824.txt b/.changelog/38824.txt
new file mode 100644
index 00000000000..a85ffef5805
--- /dev/null
+++ b/.changelog/38824.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resource/aws_networkfirewall_logging_configuration: Change `logging_configuration.log_destination_config` `MaxItems` from `2` to `3`
+```
\ No newline at end of file
diff --git a/internal/service/networkfirewall/logging_configuration.go b/internal/service/networkfirewall/logging_configuration.go
index 904612e4226..b55a69e3a0f 100644
--- a/internal/service/networkfirewall/logging_configuration.go
+++ b/internal/service/networkfirewall/logging_configuration.go
@@ -51,11 +51,11 @@ func resourceLoggingConfiguration() *schema.Resource {
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"log_destination_config": {
-							// At most 2 configurations can exist,
-							// with 1 destination for FLOW logs and 1 for ALERT logs
+							// At most 3 configurations can exist,
+							// with 1 destination for FLOW logs and 1 for ALERT logs and 1 for TLS Logs
 							Type:     schema.TypeSet,
 							Required: true,
-							MaxItems: 2,
+							MaxItems: 3,
 							Elem: &schema.Resource{
 								Schema: map[string]*schema.Schema{
 									"log_destination": {
diff --git a/internal/service/networkfirewall/logging_configuration_test.go b/internal/service/networkfirewall/logging_configuration_test.go
index bd804e4838c..8235cd32946 100644
--- a/internal/service/networkfirewall/logging_configuration_test.go
+++ b/internal/service/networkfirewall/logging_configuration_test.go
@@ -56,6 +56,18 @@ func TestAccNetworkFirewallLoggingConfiguration_CloudWatchLogDestination_logGrou
 					}),
 				),
 			},
+			{
+				Config: testAccLoggingConfigurationConfig_cloudWatch(updatedLogGroupName, rName, string(awstypes.LogDestinationTypeCloudwatchLogs), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_destination.%":        acctest.Ct1,
+						"log_destination.logGroup": updatedLogGroupName,
+						"log_destination_type":     string(awstypes.LogDestinationTypeCloudwatchLogs),
+					}),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -97,6 +109,16 @@ func TestAccNetworkFirewallLoggingConfiguration_CloudWatchLogDestination_logType
 					}),
 				),
 			},
+			{
+				Config: testAccLoggingConfigurationConfig_cloudWatch(logGroupName, rName, string(awstypes.LogDestinationTypeCloudwatchLogs), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_type": string(awstypes.LogTypeTls),
+					}),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -143,6 +165,18 @@ func TestAccNetworkFirewallLoggingConfiguration_KinesisLogDestination_deliverySt
 					}),
 				),
 			},
+			{
+				Config: testAccLoggingConfigurationConfig_kinesis(updatedStreamName, rName, string(awstypes.LogDestinationTypeKinesisDataFirehose), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_destination.%":              acctest.Ct1,
+						"log_destination.deliveryStream": updatedStreamName,
+						"log_destination_type":           string(awstypes.LogDestinationTypeKinesisDataFirehose),
+					}),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -184,6 +218,16 @@ func TestAccNetworkFirewallLoggingConfiguration_KinesisLogDestination_logType(t
 					}),
 				),
 			},
+			{
+				Config: testAccLoggingConfigurationConfig_kinesis(streamName, rName, string(awstypes.LogDestinationTypeKinesisDataFirehose), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_type": string(awstypes.LogTypeTls),
+					}),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -229,6 +273,17 @@ func TestAccNetworkFirewallLoggingConfiguration_S3LogDestination_bucketName(t *t
 					}),
 				),
 			},
+			{
+				Config: testAccLoggingConfigurationConfig_s3(updatedBucketName, rName, string(awstypes.LogDestinationTypeS3), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_destination.%":          acctest.Ct1,
+						"log_destination.bucketName": updatedBucketName,
+					}),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -271,6 +326,16 @@ func TestAccNetworkFirewallLoggingConfiguration_S3LogDestination_logType(t *test
 					}),
 				),
 			},
+			{
+				Config: testAccLoggingConfigurationConfig_s3(bucketName, rName, string(awstypes.LogDestinationTypeS3), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_type": string(awstypes.LogTypeTls),
+					}),
+				),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -316,6 +381,7 @@ func TestAccNetworkFirewallLoggingConfiguration_S3LogDestination_prefix(t *testi
 					}),
 				),
 			},
+
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -590,6 +656,62 @@ func TestAccNetworkFirewallLoggingConfiguration_updateToSingleFlowTypeLogDestina
 	})
 }
 
+func TestAccNetworkFirewallLoggingConfiguration_updateToSingleTLSTypeLogDestination(t *testing.T) {
+	ctx := acctest.Context(t)
+	bucketName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	logGroupName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+	resourceName := "aws_networkfirewall_logging_configuration.test"
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccPreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.NetworkFirewallServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckLoggingConfigurationDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccLoggingConfigurationConfig_s3AndCloudWatch(bucketName, logGroupName, rName, string(awstypes.LogTypeAlert), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.0.log_destination_config.#", acctest.Ct2),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_destination.%":        acctest.Ct1,
+						"log_destination.logGroup": logGroupName,
+						"log_destination_type":     string(awstypes.LogDestinationTypeCloudwatchLogs),
+						"log_type":                 string(awstypes.LogTypeTls),
+					}),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_destination.%":          acctest.Ct1,
+						"log_destination.bucketName": bucketName,
+						"log_destination_type":       string(awstypes.LogDestinationTypeS3),
+						"log_type":                   string(awstypes.LogTypeAlert),
+					}),
+				),
+			},
+			{
+				Config: testAccLoggingConfigurationConfig_cloudWatch(logGroupName, rName, string(awstypes.LogDestinationTypeCloudwatchLogs), string(awstypes.LogTypeTls)),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckLoggingConfigurationExists(ctx, resourceName),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.#", acctest.Ct1),
+					resource.TestCheckResourceAttr(resourceName, "logging_configuration.0.log_destination_config.#", acctest.Ct1),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "logging_configuration.0.log_destination_config.*", map[string]string{
+						"log_destination.%":        acctest.Ct1,
+						"log_destination.logGroup": logGroupName,
+						"log_destination_type":     string(awstypes.LogDestinationTypeCloudwatchLogs),
+						"log_type":                 string(awstypes.LogTypeTls),
+					}),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccNetworkFirewallLoggingConfiguration_disappears(t *testing.T) {
 	ctx := acctest.Context(t)
 	bucketName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
diff --git a/website/docs/r/networkfirewall_logging_configuration.html.markdown b/website/docs/r/networkfirewall_logging_configuration.html.markdown
index 7c40f9d7d71..b8d2c13f48e 100644
--- a/website/docs/r/networkfirewall_logging_configuration.html.markdown
+++ b/website/docs/r/networkfirewall_logging_configuration.html.markdown
@@ -58,7 +58,7 @@ resource "aws_networkfirewall_logging_configuration" "example" {
         deliveryStream = aws_kinesis_firehose_delivery_stream.example.name
       }
       log_destination_type = "KinesisDataFirehose"
-      log_type             = "ALERT"
+      log_type             = "TLS"
     }
   }
 }
@@ -76,7 +76,7 @@ This resource supports the following arguments:
 
 The `logging_configuration` block supports the following arguments:
 
-* `log_destination_config` - (Required) Set of configuration blocks describing the logging details for a firewall. See [Log Destination Config](#log-destination-config) below for details. At most, only two blocks can be specified; one for `FLOW` logs and one for `ALERT` logs.
+* `log_destination_config` - (Required) Set of configuration blocks describing the logging details for a firewall. See [Log Destination Config](#log-destination-config) below for details. At most, only Three blocks can be specified; one for `FLOW` logs and one for `ALERT` logs and one for `TLS` logs.
 
 ### Log Destination Config
 
@@ -89,7 +89,7 @@ The `log_destination_config` block supports the following arguments:
 
 * `log_destination_type` - (Required) The location to send logs to. Valid values: `S3`, `CloudWatchLogs`, `KinesisDataFirehose`.
 
-* `log_type` - (Required) The type of log to send. Valid values: `ALERT` or `FLOW`. Alert logs report traffic that matches a `StatefulRule` with an action setting that sends a log message. Flow logs are standard network traffic flow logs.
+* `log_type` - (Required) The type of log to send. Valid values: `ALERT` or `FLOW` or `TLS`. Alert logs report traffic that matches a `StatefulRule` with an action setting that sends a log message. Flow logs are standard network traffic flow logs.
 
 ## Attribute Reference