Access denied trying to read bootstrap action file - AWS EMR & S3 bucket policy

I wish to achieve the following

1. Create S3 bucket that contains EMR bootstrap script and config file
2. Apply policy to this bucket so that only EMR default roles can access it along with specific admin users
3. EMR bootstrap action runs when cluster starts that accesses S3 bucket to retrieve script and config file and execute on EMR nodes

Here is the policy I have applied to the S3 bucket. I am using the NotPrincipal statement so it will deny access to everyone except the listed arn's

{
  "Id": "policy1",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "NotPrincipal": {
        "AWS": ["arn:aws:iam::xxxxxxxxxxxx:user/user1@mydomain.com",
                "arn:aws:iam::xxxxxxxxxxxx:user/user2@mydomain.com",
                "arn:aws:iam::xxxxxxxxxxxx:root",
                "arn:aws:iam::xxxxxxxxxxxx:role/EMR_DefaultRole",
                "arn:aws:iam::xxxxxxxxxxxx:role/EMR_EC2_DefaultRole"]
      },
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::bucket-restricted-access",
                   "arn:aws:s3:::bucket-restricted-access/*"]
    }
  ]
}

I then am trying to create an EMR cluster via the C# AWS SDK that includes a bootstrap action to run a script from the following location

s3://bucket-restricted-access/config/runscript.sh

However, as soon as the cluster starts I get an error

Terminated with errors - Access denied trying to read bootstrap action file 's3://bucket-restricted-access/config/runscript.sh'

Is the EMR cluster using the assumed permissions from the EMR_EC2_DefaultRole role to try and retrieve the bootstrap action?

If not, is there another user/role that I need to add to the S3 bucket policy to fix the permissions issue?