diff --git a/packages/@aws-cdk/aws-config/lib/rule.ts b/packages/@aws-cdk/aws-config/lib/rule.ts
index 05ecebe7d93e5..e1ac4d107ec9e 100644
--- a/packages/@aws-cdk/aws-config/lib/rule.ts
+++ b/packages/@aws-cdk/aws-config/lib/rule.ts
@@ -355,6 +355,7 @@ export class CustomRule extends RuleNew {
 
     props.lambdaFunction.addPermission('Permission', {
       principal: new iam.ServicePrincipal('config.amazonaws.com'),
+      sourceAccount: this.env.account,
     });
 
     if (props.lambdaFunction.role) {
diff --git a/packages/@aws-cdk/aws-config/test/integ.rule.lit.expected.json b/packages/@aws-cdk/aws-config/test/integ.rule.lit.expected.json
index 234f54351bcd1..172382853b95f 100644
--- a/packages/@aws-cdk/aws-config/test/integ.rule.lit.expected.json
+++ b/packages/@aws-cdk/aws-config/test/integ.rule.lit.expected.json
@@ -72,7 +72,10 @@
             "Arn"
           ]
         },
-        "Principal": "config.amazonaws.com"
+        "Principal": "config.amazonaws.com",
+        "SourceAccount": {
+          "Ref": "AWS::AccountId"
+        }
       }
     },
     "Custom8166710A": {
@@ -221,4 +224,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/packages/@aws-cdk/aws-config/test/integ.scoped-rule.expected.json b/packages/@aws-cdk/aws-config/test/integ.scoped-rule.expected.json
index 99d314d0c45af..fced1ede4a8f5 100644
--- a/packages/@aws-cdk/aws-config/test/integ.scoped-rule.expected.json
+++ b/packages/@aws-cdk/aws-config/test/integ.scoped-rule.expected.json
@@ -72,7 +72,10 @@
             "Arn"
           ]
         },
-        "Principal": "config.amazonaws.com"
+        "Principal": "config.amazonaws.com",
+        "SourceAccount": {
+          "Ref": "AWS::AccountId"
+        }
       }
     },
     "Custom8166710A": {
@@ -106,4 +109,4 @@
       ]
     }
   }
-}
\ No newline at end of file
+}
diff --git a/packages/@aws-cdk/aws-config/test/rule.test.ts b/packages/@aws-cdk/aws-config/test/rule.test.ts
index 77599b8d95308..259727982a330 100644
--- a/packages/@aws-cdk/aws-config/test/rule.test.ts
+++ b/packages/@aws-cdk/aws-config/test/rule.test.ts
@@ -101,6 +101,9 @@ describe('rule', () => {
 
     expect(stack).toHaveResource('AWS::Lambda::Permission', {
       Principal: 'config.amazonaws.com',
+      SourceAccount: {
+        Ref: 'AWS::AccountId',
+      },
     });
 
     expect(stack).toHaveResource('AWS::IAM::Role', {