What is IAM Principal?
A principal is an entity that can make a request to AWS — an IAM user, an IAM role session, a federated user, or an AWS service acting on your behalf.
In a policy, the Principal element appears in resource-based policies and trust policies to name who is allowed (or denied) access. Identity-based policies do not use a Principal element, because the principal is implied by the identity the policy is attached to.
Principals are referenced by ARN, by account, by service name, or with the special value of an account root. A principal set to a whole account trusts every identity in that account, which is far broader than naming a specific role or user.
Example
{
"Principal": { "Service": "lambda.amazonaws.com" }
}Common mistake
Using a Principal of "*" or a bare account root without conditions trusts far more identities than intended and is a common root cause of cross-account exposure.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.