I would like to ask if someone knows the difference between a "resource" and a "principal", when creating an aws_iam_policy_document in terraform.
The terraform documentation has the following information:
resource: A list of resource ARNs that this statement applies to. This is required by AWS if used for an IAM policy.
principals: A nested configuration block (described below) specifying a resource (or resource pattern) to which this statement applies.
From reading the above two sentences, it looks like they have the same effect, even thought they might do different things.
On further research, I came accross this article, which explains the differences between identity-based and resource-based policies.
It seams to me that this might be the answer to my question. If so, from what I understand, resource is a "resource-based" policy, while principal is a "identity-based" policy. Is that correct?
If this is the case, my follow-up question is: can I can use both type of policies together to further restrict the access?
For example, if i have a resource policy on an S3 bucket granting complete public access, but than I add a identity-based policy for a single user, does this user become the only one who can access the bucket?
I appreciate your help, and will try to clarify anything that might be unclear.
