Using "Effect": "Allow" with the NotPrincipal can be overly permissive. For example, this can grant permissions to anonymous principals. AWS recommends that you specify principals that need access using the Principal element.
In AWS Console -
In Terraform -
References:
https://docs.aws.amazon.com/IAM/latest/UserGuide/service_code_examples_iam.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy