Specifying principals in a policy

Use the Principal element to identity the user, group, or tenant account that is allowed/denied access to the resource by the policy statement.

  • Each policy statement in a bucket policy must include a Principal element. Policy statements in a group policy do not need the Principal element because the group is understood to be the principal.
  • In a policy, principals are denoted by the element Principal, or alternatively NotPrincipal for exclusion.
  • Account-based identities must be specified using an ID or an ARN:
    "Principal": { "AWS": "account_id"}
    "Principal": { "AWS": "identity_arn" }
  • This example uses the tenant account ID 27233906934684427525, which includes the account root and all users in the account:
     "Principal": { "AWS": "27233906934684427525" }
  • You can specify just the account root:
    "Principal": { "AWS": "arn:aws:iam::27233906934684427525:root" }
  • You can specify a specific federated user ("Alex"):
    "Principal": { "AWS": "arn:aws:iam::27233906934684427525:federated-user/Alex" }
  • You can specify a specific federated group ("Managers"):
    "Principal": { "AWS": "arn:aws:iam::27233906934684427525:federated-group/Managers"  }
  • You can specify an anonymous principal:
    "Principal": "*"
  • To avoid ambiguity, you can use the user UUID instead of the username:
    arn:aws:iam::27233906934684427525:user-uuid/de305d54-75b4-431b-adb2-eb6b9e546013
    For example, suppose Alex leaves the organization and the username Alex is deleted. If a new Alex joins the organization and is assigned the same Alex username, the new user might unintentionally inherit the permissions granted to the original user.
  • The principal value can specify a group/user name that does not yet exist when a bucket policy is created.