restrict bucket to users

How to restrict a S3 bucket to certain group of users. Edit the bucket policy and add the following.

{
    "Version": "2012-10-17",
    "Id": "bucketPolicy",
    "Statement": [
        {
            "Effect": "Deny",
            "NotPrincipal": {
                "AWS": "arn:aws:iam::xxxxxxxxxx:user/username",
                "AWS": "arn:aws:iam::xxxxxxxxxx:root",
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucketname",
                "arn:aws:s3:::bucketname/*"
            ]
        }
    ]
}

Replace xxxxxxxxxx with your AWS account number.
Replace bucketname with your S3 bucket.
Replace username with your IAM user.
Root is your AWS root account.
Accounts must be valid.