AWS SCP with "NotAction" Deny is just... Denying..?

Question

I am using a Service Control Policy - two actually. One which is on the root of my OU, which is the standard FullAWSAccess one. The other is a new one which I wrote:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSTS",
      "Effect": "Deny",
      "NotAction": [
        "sts:*",
        "s3:*",
        "iam:*"
      ],
      "Resource": "*"
    }
  ]
}

To me, the policy looks good - I want to only be able to use STS (assumeRole), and I have an S3 + IAM allow in there just for testing purposes.

However, when I apply this policy to the organizational unit which contains my SafeManagement account (from which I want to use a IAM user to assumerole into other organizations accounts...) it just straight up denies everything!

I have the IAM permissions in there as already stated for debugging purposes - I still get this error when trying to view my buckets or create one:

The reason I know that it's SCP causing this issue is because - when I change the SCP quickly to Effect: Allow and NotAction to Action, it works perfectly and I can view my buckets and iam roles and stuff!

My question is - why is it denying everything instead of letting me do what I am clearly asking it to do - allow sts, s3 and iam actions inside of this organizational unit?

Answer 1

So this is one of those situations where I sit on a problem for an hour and then finally give up and ask on Stack Overflow; then I get a random brainwave and solve it...

This policy works for me:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSTS",
      "Effect": "Deny",
      "NotAction": [
        "sts:*",
        "s3:*",
        "iam:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "MaybeThisFixesIt",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}