S3 Policy to grant AWS org child accounts access from AWS services (cloudFormation)

Question

I'm trying to grant read only access for CloudFormation to some templates in a S3 Bucket.

I can do this when CF in the same account as the S3 bucket using aws:PrincipalIsAWSService. However, when I try to get this to work for any Child Accounts, I get permission denied. I've tried adding the PrincipalOrgID or the Org account - but no joy so far.

I'm trying to avoid having to list ALL the child accounts, as they get added frequently, and was under the impression PrincipalOrgID was for this very purpose.

Any ideas?

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalOrgID": "o-yyyyyyyyyy"
                },
                "Bool": {
                    "aws:PrincipalIsAWSService": "true"
                }
            }
        }

Answer 1

Moving from comment to answer for visibility:

Problem was combination of conditions.

"StringEquals": {
            "aws:PrincipalOrgID": "o-yyyyyyyyyy"
        },
        "Bool": {
            "aws:PrincipalIsAWSService": "true"
        }

Just leaving

"StringEquals": {
    "aws:PrincipalOrgID": "o-yyyyyyyyyy"
  }

enables other accounts from the organization to access it.