To specify resource-based permissions, you can attach a policy to the resource, such as an AmazonSNS topic, an Amazon S3 bucket, or an Amazon Glacier vault. In that case, the policy has to includeinformation about who is allowed to access the resource, known as the principal. (For user-basedpolicies, the principal is the IAM user that the policy is attached to, or the user who gets the policyfrom a group.) http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html