[schlarpc]

Just to give an example of the pain that can be caused by NotAction in practice: https://www.reddit.com/r/aws/comments/3recc9/this_iam_policy...

This policy looks reasonable to a casual observer, but actually gives * access to everything in the account. IAM policies are _hard_.

[dastbe]

Yeah, I can see how using "Not" as opposed to "Inverted" would trip up people here. However, I would say that's a naming issue and (for some reason) a resiliency to using explicit deny policies.