diff --git a/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts b/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts
index 366d034616007..a0921da3a99e3 100644
--- a/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts
+++ b/packages/@aws-cdk/aws-lambda/lib/lambda-ref.ts
@@ -317,7 +317,7 @@ export abstract class FunctionRef extends cdk.Construct
         const permissionId = `AllowBucketNotificationsFrom${bucketId}`;
         if (!this.tryFindChild(permissionId)) {
             this.addPermission(permissionId, {
-                sourceAccount: new cdk.AwsAccountId(),
+                sourceAccount: new cdk.AwsAccountId().toString(),
                 principal: new cdk.ServicePrincipal('s3.amazonaws.com'),
                 sourceArn: bucketArn,
             });
diff --git a/packages/@aws-cdk/aws-lambda/lib/permission.ts b/packages/@aws-cdk/aws-lambda/lib/permission.ts
index d4b6215638832..d5be118b80bc9 100644
--- a/packages/@aws-cdk/aws-lambda/lib/permission.ts
+++ b/packages/@aws-cdk/aws-lambda/lib/permission.ts
@@ -42,7 +42,7 @@ export interface Permission {
      * bucket owner's account ID. You can use this property to ensure that all
      * source principals are owned by a specific account.
      */
-    sourceAccount?: any;
+    sourceAccount?: string;
 
     /**
      * The ARN of a resource that is invoking your function. When granting
diff --git a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts
index f64f644504059..d26d2801b08e5 100644
--- a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts
+++ b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts
@@ -118,7 +118,7 @@ export = {
             fn.addPermission('S3Permission', {
                 action: 'lambda:*',
                 principal: new cdk.ServicePrincipal('s3.amazonaws.com'),
-                sourceAccount: new cdk.AwsAccountId(),
+                sourceAccount: new cdk.AwsAccountId().toString(),
                 sourceArn: new cdk.Arn('arn:aws:s3:::my_bucket')
             });