Status: IN
When granting AWS Config access to an S3 bucket, the bucket policy should use the `AWS:SourceAccount` condition key to prevent confused deputy attacks by ensuring access is only on behalf of expected accounts.
Source: entries/2026/03/11/AWSCloudFormation-latest-UserGuide-stacksets-sampletemplateshtml.md