Is it possible to add an exception in explicit deny in AWS IAM?

Question

Is it possible to exclude a volume from explicit deny in AWS IAM Policy

{
      "Sid": "DenyCreationOfUnencryptedEBSVOL",
      "Effect": "Deny",
      "Action": "ec2:CreateVolume",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        }
      }
    },

That block any volumes being created unencrypted.

Thinking that using a combination of conditions will allow only volumes with Name Value contained in the value anywhere in the value.

"Test_Unencrypted"

{
      "Sid": "DenyCreationOfUnencryptedEBSVOL",
      "Effect": "Deny",
      "Action": "ec2:CreateVolume",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "ec2:Encrypted": "false"
        },
        "StringNotLike": {
          "aws:ResourceTag/Name":"*Test_Unencrypted*"
        }
      }
    },

Is it possible to exclude single resource from deny like above?

Answer 1

You can use the key NotResource. Example:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "s3:*",
    "NotResource": [
      "arn:aws:s3:::HRBucket/Payroll",
      "arn:aws:s3:::HRBucket/Payroll/*"
    ]
  }
}

This applies the deny action to all resources except the mentioned Objects.

Example taken from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notresource.html

Edit: I see now you probably also mean to exclude resources that have a certain tag attached to them. So when the test_unencrypted tag is present you allow it to be created. I think you can also use the StringNotEquals with aws:RequestTag/MyTagKey: MyTagValue condition key for this. Then you can create volumes only if you provide the tag. Note that this condition is only present for api calls that either set or remove tags (CreateVolume supports this)