What is NotAction Element?
NotAction matches every action except the ones listed, so it is an inverted action set that is easy to misread as a denial.
A statement with Effect Allow and NotAction set to a single action allows every other action — often far more than intended. NotAction does not deny the listed action; it simply excludes it from the set the statement applies to.
NotAction is occasionally useful with an explicit Deny to carve out exceptions, but in an Allow statement it is a frequent source of accidental over-permissioning. The safer default is to list the exact actions you intend to allow.
Example
{
"Effect": "Allow",
"NotAction": "s3:DeleteObject",
"Resource": "*"
}Common mistake
Reading "NotAction": "s3:DeleteObject" as "deny delete". It actually allows every action except delete — close to full access.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.