{"id":"aws-config-s3-bucket-policy-source-account-condition","text":"When granting AWS Config access to an S3 bucket, the bucket policy should use the `AWS:SourceAccount` condition key to prevent confused deputy attacks by ensuring access is only on behalf of expected accounts.","truth_value":"IN","source":"entries/2026/03/11/AWSCloudFormation-latest-UserGuide-stacksets-sampletemplateshtml.md","source_url":"","source_hash":"b2b5cfc64f03ff39","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"aws-config-s3-bucket-policy-source-account-condition","truth_value":"IN","reason":"premise"}]}}