diff --git a/packages/amplify-e2e-tests/src/__tests__/auth_3a.test.ts b/packages/amplify-e2e-tests/src/__tests__/auth_3a.test.ts
index 583b78e541a..e81a1b2315f 100644
--- a/packages/amplify-e2e-tests/src/__tests__/auth_3a.test.ts
+++ b/packages/amplify-e2e-tests/src/__tests__/auth_3a.test.ts
@@ -40,7 +40,7 @@ describe('amplify add auth...a', () => {
     await removeAuthWithDefault(projRoot);
     await amplifyPushAuth(projRoot);
 
-    expect(AuthRoleName).not.toHaveValidPolicyConditionMatchingIdpId(idpId);
-    expect(UnauthRoleName).not.toHaveValidPolicyConditionMatchingIdpId(idpId);
+    expect(AuthRoleName).toHaveDenyAssumeRolePolicy();
+    expect(UnauthRoleName).toHaveDenyAssumeRolePolicy();
   });
 });
diff --git a/packages/amplify-e2e-tests/src/aws-matchers/iamMatcher.ts b/packages/amplify-e2e-tests/src/aws-matchers/iamMatcher.ts
index 465e11b60ce..b06e6e6874f 100644
--- a/packages/amplify-e2e-tests/src/aws-matchers/iamMatcher.ts
+++ b/packages/amplify-e2e-tests/src/aws-matchers/iamMatcher.ts
@@ -67,3 +67,30 @@ export const toHaveValidPolicyConditionMatchingIdpId = async (roleName: string,
     pass,
   };
 };
+
+export const toHaveDenyAssumeRolePolicy = async (roleName: string) => {
+  let pass = false;
+  let message = '';
+
+  try {
+    const iam = new IAM({
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
+      sessionToken: process.env.AWS_SESSION_TOKEN,
+    });
+
+    const { Role: role } = await iam.getRole({ RoleName: roleName }).promise();
+    const assumeRolePolicyDocument = JSON.parse(decodeURIComponent(role.AssumeRolePolicyDocument));
+
+    pass = assumeRolePolicyDocument?.Statement?.length === 1 && assumeRolePolicyDocument?.Statement?.[0]?.Effect === 'Deny';
+
+    message = pass ? 'Assume role policy has Effect: Deny' : `Assume role policy does not exist or does not have Effect: Deny.`;
+  } catch (e) {
+    message = 'IAM GetRole threw Error: ' + e.message;
+  }
+
+  return {
+    message: () => message,
+    pass,
+  };
+};
diff --git a/packages/amplify-e2e-tests/src/setup-tests.ts b/packages/amplify-e2e-tests/src/setup-tests.ts
index 94c6110ad04..ab3a190663b 100644
--- a/packages/amplify-e2e-tests/src/setup-tests.ts
+++ b/packages/amplify-e2e-tests/src/setup-tests.ts
@@ -1,4 +1,4 @@
-import { toBeIAMRoleWithArn, toHaveValidPolicyConditionMatchingIdpId, toBeAS3Bucket } from './aws-matchers';
+import { toBeIAMRoleWithArn, toHaveValidPolicyConditionMatchingIdpId, toBeAS3Bucket, toHaveDenyAssumeRolePolicy } from './aws-matchers';
 
 const removeYarnPaths = () => {
   // Remove yarn's temporary PATH modifications as they affect the yarn version used by jest tests when building the lambda functions
@@ -9,6 +9,7 @@ const removeYarnPaths = () => {
 
 expect.extend({ toBeIAMRoleWithArn });
 expect.extend({ toHaveValidPolicyConditionMatchingIdpId });
+expect.extend({ toHaveDenyAssumeRolePolicy });
 expect.extend({ toBeAS3Bucket });
 
 removeYarnPaths();
diff --git a/packages/amplify-e2e-tests/typings/aws-matchers.d.ts b/packages/amplify-e2e-tests/typings/aws-matchers.d.ts
index 2887c49b616..f06dc761f74 100644
--- a/packages/amplify-e2e-tests/typings/aws-matchers.d.ts
+++ b/packages/amplify-e2e-tests/typings/aws-matchers.d.ts
@@ -5,5 +5,6 @@ namespace jest {
     toBeIAMRoleWithArn(roleName: string, arn?: string): R;
     toBeAS3Bucket(bucketName: string): R;
     toHaveValidPolicyConditionMatchingIdpId(idpId: string): R;
+    toHaveDenyAssumeRolePolicy(): R;
   }
 }