Clarification on equality of "Principal": "*" vs "Principal" : { "AWS" : "*" }
Closed this issue · 3 comments
On this page:
the following assertion is made:
The following are equivalent:
"Principal": "*" "Principal" : { "AWS" : "*" }
but isn't "AWS": "*" a subset of "*"? I.e., the Principal can take the form of:
<principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>) <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } <principal_map_entry> = ("AWS" | "Federated" | "Service") : [<principal_id_string>, <principal_id_string>, ...]
The assertion made implies that "AWS": "*" is equivalent to "Federated": "*" or "Service": "*" or "CanonicalUser": "*", which is not true.
I believe that you're correct and they're not equivalent. Here's what I think happens:
"Principal": "" makes the resource publicly available.
"Principal" : { "AWS" : "" } makes the resource available to anyone with an AWS account.
If that's true, then what this is saying is that they are functionally equivalent because if you try to access something and can't, then you create an AWS account and you'll have access.
However, the statement is too vague. I'll check with my engineers and see how we can be more specific.
Another reference to this Principal clarification:
"If the Principal in the policy is set to "*", other authorization types can be used alongside the resource policy. If the Principal is set to "AWS", authorization will fail for all resources not secured with AWS_IAM authorization, including unsecured resources."
We have updated the page to provide clarification. Thank you for your feedback!