AWS IAM user policy that is used by the "Access Key Alias"

Document ID : KB000117256
Last Modified Date : 10/10/2018
Show Technical Document Details
Question:
When the IAM user who is set to the "access key alias" of the AWS has the "PowerUserAccess" policy only, the below understanding is correct? 
  1. On the AWS policy, if I set less restrict policy than the PowerUserAcesss, it is possible to do division of authority.
  2. On the AWS policy, if I set more restrict policy than the PowerUserAccess, when the user tries to AWS console from the Access screen, it will not reach the AWS console screen because of the access denied.
Environment:
CA Privileged Access Manager (PAM) r3.x
Answer:
They are correct.