{"id":"iam-deny-with-condition-preferred-over-notprincipal","text":"The deny-with-condition pattern using `\"Principal\": \"*\"` with `ArnNotEquals` on `aws:PrincipalArn` is preferred over `NotPrincipal` for deny-all-except access patterns.","truth_value":"IN","source":"entries/2026/03/11/IAM-latest-UserGuide-reference_policies_elements_principalhtml.md","source_url":"","source_hash":"6b474327217a2bc0","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-deny-with-condition-preferred-over-notprincipal","truth_value":"IN","reason":"premise"}]}}