Status: IN
The deny-with-condition pattern using `"Principal": "*"` with `ArnNotEquals` on `aws:PrincipalArn` is preferred over `NotPrincipal` for deny-all-except access patterns.
Source: entries/2026/03/11/IAM-latest-UserGuide-reference_policies_elements_principalhtml.md