Use NotAction with Allow

Example: Allow a user to execute all S3 actions without deleting S3 bucket.

{
    "Version": "2012-10-17",
    "Statement": [{
	    "Effect": "Allow",
			"NotAction": "s3:DeleteBucket",
			"Resource": "arn:aws:s3:::*"
    }]
}

User NotAction with Deny

Example: Deny access to non-IAM actions if the user is not signed in using MFA.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "DenyAllUsersNotUsingMFA",
        "Effect": "Deny",
        "NotAction": "iam:*",
        "Resource": "*",
        "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
    }]
}