Non STS session explicitDeny overlaps with STS Allow

[anuragnandan]

I have Deny for all permissions if its not a STS session with MFA, except getSessionToken, listMFADevices, setMFADevice and few more.

{ "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }
This checker said I have an explicitDeny on ecs:ExecuteCommand and ssm:StartSession even with a valid STS session and permission, because of explicitDeny without MFA Session. So, I had to add the two permissions to my list

{ "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken", "ecs:ExecuteCommand", "ssm:StartSession" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } }

which means, I can execCommand on my cluster without a MFA STS session.