`boto3` and the AWS CLI fail to simulate an ELB policy

We used a simulator to check whether a policy has the permission to perform specific actions on specific ELB resources. The simulator returned implicitDeny instead of allowed. This result is erroneous, because the actions and the resources in the policy document were the same as the parameters of the simulator. To test this, we attached the policy to a role and used this role to perform the actions on the resources in a live AWS environment, and we were successful.

We will now attempt to reproduce this error as minimally as possible.

Both the AWS SDK for Python (a.k.a. boto3)

import boto3

policy_input_list = [
    """{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"
            ]
        }
    ]
}"""
]
action_names = ["elasticloadbalancing:AddTags"]
resource_arns = ["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"]

boto3.client("iam").simulate_custom_policy(
    PolicyInputList=policy_input_list,
    ActionNames=action_names,
    ResourceArns=resource_arns,
)

and the AWS CLI

policy_input_list='{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["elasticloadbalancing:AddTags"],"Resource":["arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*"]}]}'
action_names='elasticloadbalancing:AddTags'
resource_arns='arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*'

aws iam simulate-custom-policy \
    --policy-input-list $policy_input_list \
    --action-names $action_names \
    --resource-arns $resource_arns

erroneously evaluate this to implicitDeny.

Interestingly, the IAM Policy Simulator

IAM Policy Simulator

correctly evaluates this to allowed.

The problematic statement

{
    "Effect": "Allow",
    "Action": [
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:RemoveTags"
    ],
    "Resource": [
        "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
        "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
        "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
        "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
    ]
}

originates from the policy document of the AWS Load Balancer Controller (https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json). Any combination of these actions and resources (and only them) will be evaluated correctly by the IAM Policy Simulator, but incorrectly by boto3 and the AWS CLI.

Note that we are using the latest versions of boto3 (v1.27.72) and the AWS CLI (v1.27.72).