IAM角色优先于KMS密钥策略

【以下的问题经过翻译处理】 我在我的账户中的“开发人员”角色上应用了一个“poweruseraccess”策略，该角色被多个用户使用。该角色允许访问AWS资源，因此任何具有此角色的人都可以使用KMS中的密钥加密/解密。我想限制特定kms密钥上的加密/解密操作。为此，我在此特定密钥的默认kms策略中添加了一个拒绝部分，如下所示。此项拒绝防止任何主体加密/解密操作，除非他们的用户ID是根（12345）或特定角色AROAADMINROLE（管理员帐户），AROALAMBDAROLE（assumerole）和IAM用户AIDAMYIAMUSER 。尽管存在明确的拒绝部分，但具有开发人员角色的用户仍能够使用该密钥进行加密/解密。请问有人能帮我找出问题所在吗？

类似的策略可用于限制我们的S3存储桶访问。我遵循这篇文章构建策略。https://aws.amazon.com/premiumsupport/knowledge-center/explicit-deny-principal-elements-s3/。下面的策略使用通配符和条件的StringNotLike来实现相同的原理。

** KMS策略 **

{
    "Id": "my-key-consolepolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:user/my_iam_user"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ExplicitDenyEncryptDecryptAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userid": [
                        "12345",
                        "AROAADMINROLE",
                        "AROAADMINROLE:*",
                        "AIDALAMBDAROLE:*",
                        "AIDALAMBDAROLE",
                        "AIDAMYIAMUSER:*",
                        "AIDAMYIAMUSER"
                    ]
                }
            }
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::12345:user/my_iam_user",
                    "arn:aws:iam::12345:role/my_lambda_role"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}