I wrote this up since, over the past year, I've encountered more and more weird behavior with s3 bucket policies.<p>I haven't seen all of this behavior documented in a single place, so here it is.<p>Some of it has security implications (such as being able to brute force usernames) that is worth knowing about.<p>A TL;DR of the security stuff:<p>* Brute-forcing valid principal names is possible, since you can't create a bucket policy with an invalid principal.<p>* User compromise will break cross-account access, since if AWS becomes aware of a compromise, they will want you to delete the user and recreate it.<p>* Explicit denies will stop working if the principal is deleted and recreated, since they operate internally on the Principal ID and not the ARN<p>* Canonical IDs offer no extra security compared to account ARNs, since it's trivial to convert them back and get an account number.