AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket

Question

A similar question on this topic has already been asked here , but none of the solutions on that post worked for me and it is quite old, which led me to believe that maybe something has changed in AWS that warranted asking a new question.

Basically, I am using a CloudFormation template to define an IAM group with an inline policy so that its users can only access a single S3 bucket. Based on the linked question, I arrived at the following template (the original posts used JSON but I'm using YAML):

BucketAccessGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: my-bucket-admins
      Path: /my-bucket-admins/
      Policies:
      - PolicyName: MyBucketAccess
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          -
            Effect: Allow
            Action: s3:*
            Resource:
            - arn:aws:s3:::my-bucket-name
            - arn:aws:s3:::my-bucket-name/*
          -
            Effect: Allow
            Action: s3:ListAllMyBuckets
            Resource: "*"

Unfortunately, an IAM user in this group is allowed not only to list every other bucket (required for Console access), but also to open, modify, and delete them, and their objects! Obviously this is not desired behavior! Has something changed with AWS that makes this policy no longer valid? Does the policy not work the same in a CloudFormation template as it does on its own? Any help would be appreciated!

EDIT:

As stated in @wjordan's answer, it turns out that another policy was already giving the group full S3 permissions. I was adding the AWSLambdaFullAccess managed policy, which unexpectedly had an allow s3:* line (I left out of the above code b/c I didn't think it was relevant!). Given the need to coexist with that policy, here is my updated CF template which is working as intended, and is also a bit more secure:

  BucketAccessGroup:
    Type: AWS::IAM::Group
    Properties:
      GroupName: my-bucket-admins
      ManagedPolicyArns: [ "arn:aws:iam::aws:policy/AWSLambdaFullAccess" ]
      Policies:
      - PolicyName: MyBucketAccess
        PolicyDocument:
          Version: 2012-10-17
          Statement:
          - # Prevent changing permissions in any way on the desired bucket
            Effect: Deny
            Action:
            - s3:DeleteBucket
            - s3:DeleteBucketPolicy
            - s3:PutBucketPolicy
            - s3:PutBucketAcl
            Resource:
            - arn:aws:s3:::my-bucket-name
            - arn:aws:s3:::my-bucket-name
          - # Prevent all S3 actions except listing buckets, on everything except the desired bucket (AWSLambdaFullAccess already allows s3:*)
            Effect: Deny
            NotAction: s3:ListAllMyBuckets
            NotResource:
            - arn:aws:s3:::my-bucket-name
            - arn:aws:s3:::my-bucket-name

Answer 1

The policy provided looks correct and not out of date to me. Are you sure that the IAM user in question doesn't have any additional groups/policies applied beyond the AWS::IAM::Group specified that would be granting them the unexpected permissions?

One way to confirm this would be to create a new IAM user from scratch and attempt to reproduce the issue there.