# MalformedPolicyDocument: Invalid principal in policy: 'AWS': 'arn:aws:iam::123456789012:role/MyRole' - ARN does not match expected format

- **ID:** `cloud/aws-iam-role-trust-policy-invalid-principal`
- **Domain:** cloud
- **Category:** config_error
- **Error Code:** `MalformedPolicyDocument`
- **Verification:** ai_generated
- **Fix Rate:** 92%

## Root Cause

The IAM role trust policy contains a principal ARN that is malformed or uses a service principal incorrectly; for cross-account trust, the principal must be 'AWS': '123456789012' (account ID) not a full role ARN.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS IAM API 2010-05-08 | active | — | — |
| AWS CLI 2.15.0 | active | — | — |

## Workarounds

1. **Change the principal to the account ID: 'AWS': '123456789012'. Example trust policy snippet: {"Effect": "Allow", "Principal": {"AWS": "123456789012"}, "Action": "sts:AssumeRole"}** (95% success)
   ```
   Change the principal to the account ID: 'AWS': '123456789012'. Example trust policy snippet: {"Effect": "Allow", "Principal": {"AWS": "123456789012"}, "Action": "sts:AssumeRole"}
   ```
2. **If using a service principal (e.g., for EC2), use 'Service': 'ec2.amazonaws.com' instead of 'AWS'.** (90% success)
   ```
   If using a service principal (e.g., for EC2), use 'Service': 'ec2.amazonaws.com' instead of 'AWS'.
   ```
3. **Use the AWS CLI to update the trust policy: aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json** (85% success)
   ```
   Use the AWS CLI to update the trust policy: aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json
   ```

## Dead Ends

- **** — The policy is malformed because the principal format is incorrect. (90% fail)
- **** — Overly permissive; security audits will flag this. (30% fail)