Yeah, I mention that in the "Who" aka Principal section. It's like that for any resource based policy (i.e. like S3). So IAM Users/groups have it implied, but Resource based ones like S3 do not have it implied.
The thing is, an S3 bucket policy is not an IAM policy. It's a bucket policy. They use the same language, format, and syntax, but they are not called the same thing.
Indeed, they're just a "resource" policy. They're still talked about and share the so many same attributes that it became more character saving to say AWS IAM Policies vs. AWS IAM, S3, SNS, SQS, Glacier Policies =P