[officelineback]

Isn't the "Principal" element only a part of S3 permission policies, not IAM? In IAM the "principal" is implied, it's the user to which the policy is attached. Edit: I see you explain well into the article, but I believe the title of the article could be improved.

[unkoman]

Principal can be any AWS resource, such as Kinesis firehose or Lambda. Whichever resource that needs the permissions. For example:

            "Statement": [{
                "Effect": "Allow",
                "Principal": {"Service": [
                    "firehose.amazonaws.com"
                                          ]
                              },
                "Action": ["sts:AssumeRole"]
            }
            ]
        }

[colemorrison]

Yeah, I mention that in the "Who" aka Principal section. It's like that for any resource based policy (i.e. like S3). So IAM Users/groups have it implied, but Resource based ones like S3 do not have it implied.

[officelineback]

The thing is, an S3 bucket policy is not an IAM policy. It's a bucket policy. They use the same language, format, and syntax, but they are not called the same thing.

[colemorrison]

Indeed, they're just a "resource" policy. They're still talked about and share the so many same attributes that it became more character saving to say AWS IAM Policies vs. AWS IAM, S3, SNS, SQS, Glacier Policies =P