Root user vs account ID in resource policy

Question

When referencing a principal in a resource policy (e.g. S3 bucket policy), it can be specified as either of the following:

`            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root"
                ]
            }
`

`            "Principal": {
                "AWS": [
                    "111122223333"
                ]
            }
`

From what I can tell, these are equivalent. Is there any hidden difference between them?

Accepted Answer

Hi Shahar, it is exact same thing

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

```
AWS account principals
You can specify AWS account identifiers in the Principal element of a resource-based 
policy or in condition keys that support principals. This delegates authority to the 
account. When you allow access to a different account, an administrator in that account 
must then grant access to an identity (IAM user or role) in that account. When you specify an 
AWS account, you can use the account ARN (arn:aws:iam::account-ID:root), or a shortened form t
hat consists of the "AWS": prefix followed by the account ID.

For example, given an account ID of 123456789012, you can use either of the following methods 
to specify that account in the Principal element:

"Principal": { "AWS": "arn:aws:iam::123456789012:root" }

"Principal": { "AWS": "123456789012" }

The account ARN and the shortened account ID behave the same way. Both delegate permissions 
to the account. Using the account ARN in the Principal element does not limit permissions to 
only the root user of the account.
```

Best,
Didier

Root user vs account ID in resource policy

Relevant content