Specifying principals in a policy

Use the Principal element to identity the user, group, or tenant account that is allowed/denied access to the resource by the policy statement.

  • Each policy statement in a bucket policy must include a Principal element. Policy statements in a group policy do not need the Principal element because the group is understood to be the principal.
  • In a policy, principals are denoted by the element "Principal," or alternatively "NotPrincipal" for exclusion.
  • Account-based identities must be specified using an ID or an ARN:
    "Principal": { "AWS": "account_id"}
    "Principal": { "AWS": "identity_arn" }
  • This example uses the tenant account ID 27233906934684427525, which includes the account root and all users in the account:
     "Principal": { "AWS": "27233906934684427525" }
  • You can specify just the account root:
    "Principal": { "AWS": "arn:aws:iam::27233906934684427525:root" }
  • You can specify a specific federated user ("Bob"):
    "Principal": { "AWS": "arn:aws:iam::27233906934684427525:federated-user/Bob" }
  • You can specify a specific federated group ("Managers"):
    "Principal": { "AWS": "arn:aws:iam::27233906934684427525:federated-group/Managers"  }
  • You can specify an anonymous principal:
    "Principal": "*"
  • If the username Bob was deleted upon leaving the organization, and then later on, another Bob joins the organization and was assigned the same username Bob, he could have unintentionally inherited the permissions granted to the previous Bob. To avoid such ambiguity, the user UUID can be used instead of the username. For example:
  • The principal value can specify a group/user name that does not yet exist when a bucket policy is created.