# An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy

- **ID:** `aws/s3-bucket-policy-invalid-principal`
- **Domain:** aws
- **Category:** config_error
- **Error Code:** `MalformedPolicy`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

The Principal element in the S3 bucket policy references an IAM ARN that does not exist or uses an unsupported format (e.g., 'AWS: *' instead of 'AWS: *' or a specific ARN).

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS CLI 2.15.0 | active | — | — |
| AWS SDK for Python 1.34.0 | active | — | — |
| AWS SDK for JavaScript 3.600.0 | active | — | — |

## Workarounds

1. **Use the AWS CLI to test the policy: `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the error message for the exact principal ARN that is invalid. Then correct it to a valid IAM user/role ARN (e.g., 'arn:aws:iam::123456789012:user/username').** (85% success)
   ```
   Use the AWS CLI to test the policy: `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the error message for the exact principal ARN that is invalid. Then correct it to a valid IAM user/role ARN (e.g., 'arn:aws:iam::123456789012:user/username').
   ```
2. **If using a service principal, ensure the format is 'Service': 's3.amazonaws.com' (or other service) instead of an ARN. Example: `"Principal": { "Service": "cloudfront.amazonaws.com" }`.** (90% success)
   ```
   If using a service principal, ensure the format is 'Service': 's3.amazonaws.com' (or other service) instead of an ARN. Example: `"Principal": { "Service": "cloudfront.amazonaws.com" }`.
   ```
3. **Use the AWS Policy Simulator to validate the policy before applying it: https://policysim.aws.amazon.com/** (75% success)
   ```
   Use the AWS Policy Simulator to validate the policy before applying it: https://policysim.aws.amazon.com/
   ```

## Dead Ends

- **** — Adding a wildcard principal like 'Principal': 'AWS: *' with a typo (e.g., extra space) will still fail; the exact format 'AWS: *' is required. (65% fail)
- **** — Using a principal ARN that is in a different AWS account without proper cross-account trust setup will cause this error. (50% fail)
- **** — Assuming the error is a syntax issue in the Effect or Action field, while the real problem is the Principal format. (40% fail)