- resource policies can give access to identities in other accounts
- resource policy has a “Principal” field specifies what identities the statement applies to
- can allow or deny anonymous principals: simply set Principal to
"*"
- can allow or deny anonymous principals: simply set Principal to