diff --git a/s3-config-org/main.tf b/s3-config-org/main.tf
index f9d75ae..ea14398 100644
--- a/s3-config-org/main.tf
+++ b/s3-config-org/main.tf
@@ -27,7 +27,7 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   organization_id     = data.aws_organizations_organization.org.id
 
-  bucket_name = var.bucket_name != "" ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region)
+  bucket_name = var.bucket_name != null ? var.bucket_name : format("%v-%v-%v", var.bucket_name_prefix, local.account_id, local.region)
   key_name    = compact([var.key_name, var.bucket_name, var.bucket_name_prefix])[0]
 
   base_tags = {
@@ -109,6 +109,10 @@ data "aws_iam_policy_document" "bucket_policy" {
       aws_s3_bucket.config_org.arn,
       format("%v/*", aws_s3_bucket.config_org.arn),
     ]
+    principals {
+      type        = "Service"
+      identifiers = ["config.amazonaws.com"]
+    }
     condition {
       test     = "StringEquals"
       variable = "aws:PrincipalOrgId"