Specify An AWS Account Principal In A Resource Based Policy

There are three ways to specify an account principal in a resource based policy in AWS, they all do the same, why not just one? Ask AWS...

"Principal": { "AWS": "arn:aws:iam::100000100001:root" }
"Principal": { "AWS": "200002000002" }
"Principal": { "CanonicalUser": "0lybn1c57d6nnfybau0yk2jwb4h2soj0g2t22zp9n51ci0mvarhh2bv7yfyiqdk5" }

Both ARN and the shortened account ID behave the same way. Either way it does not limit permissions to only the root user of the account.

Not all AWS services support the canonical version of an account principal. But you can use the canonical user ID for instance in an S3 policy.

You can also combine all three versions in one statement, example:

"Principal": {
  "AWS": [
  "CanonicalUser": "0lybn1c57d6nnfybau0yk2jwb4h2soj0g2t22zp9n51ci0mvarhh2bv7yfyiqdk5"

Stay Safe! ☘️