What Should I Do If Permissions Are Not Working as Expected When "NotAction" Is Used in an Identity Policy?

Symptom

An administrator created an identity policy on the new IAM console and used a deny statement with "NotAction" to exclude an action of a cloud service. However, the action of another cloud service is also excluded from the deny statement. For example, a member account in an organization has all cloud service permissions, and is attached with an identity policy with a deny statement containing "NotAction" to exclude a VPC action. This identity policy neither denies the VPC action nor the EIP action. The following is the identity policy used in this example:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"NotAction": [
			"VPC:*:*"
		]
	}]
}

Possible Causes

Some actions' aliases of a cloud service are the action names of another cloud service. The aliases are used to adapt the actions on the new console with those on the old one. For example, EIP uses the names of some VPC actions as aliases of EIP actions. For identity policy authentication, such actions are the same. VPC actions are regarded as EIP actions in "NotAction", so both are excluded from the deny statement.

Solutions

In the preceding scenario, to allow cloud service A's action and deny cloud service B's action, you will need two deny statements, one with "NotAction" for service A's action, and another for service B's action. For example, if you want to allow a VPC action and deny an EIP action, you can use "NotAction" to exclude the VPC action from the deny statement and then add another deny statement for the EIP action. The following is an example identity policy:

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Deny",
			"NotAction": [
				"VPC:*:*"
			]
		},
		{
			"Effect": "Deny",
			"Action": [
				"EIP:*:*"
			]
		}
	]
}