diff --git a/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts b/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts
index 6f76cf381d..d3f6566b85 100644
--- a/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts
+++ b/packages/amplify-graphql-auth-transformer/src/__tests__/amplify-admin-auth.test.ts
@@ -249,7 +249,19 @@ test('simple model with private IAM auth rule, few operations, and amplify admin
 
   expect(out.schema).toContain('getPost(id: ID!): Post @aws_iam');
   expect(out.schema).toContain('listPosts(filter: ModelPostFilterInput, limit: Int, nextToken: String): ModelPostConnection @aws_iam');
-
+  const policyResources = _.filter(out.rootStack.Resources, (r) => r.Type === 'AWS::IAM::ManagedPolicy');
+  expect(policyResources).toHaveLength(1);
+  const resources = _.get(policyResources, '[0].Properties.PolicyDocument.Statement[0].Resource');
+  const typeFieldList = _.map(resources, (r) => _.get(r, 'Fn::Sub[1]')).map((r) => `${_.get(r, 'typeName')}.${_.get(r, 'fieldName', '*')}`);
+  expect(typeFieldList).toEqual([
+    'Post.*',
+    'Query.getPost',
+    'Query.listPosts',
+    'Mutation.updatePost',
+    'Subscription.onCreatePost',
+    'Subscription.onUpdatePost',
+    'Subscription.onDeletePost',
+  ]);
   expect(out.resolvers['Mutation.updatePost.auth.1.res.vtl']).toMatchSnapshot();
   expect(out.resolvers['Mutation.updatePost.auth.1.res.vtl']).toContain(
     '#if( ($ctx.identity.userArn == $ctx.stash.authRole) || ($ctx.identity.cognitoIdentityPoolId == $ctx.stash.identityPoolId && $ctx.identity.cognitoIdentityAuthType == "authenticated") )',
@@ -308,9 +320,6 @@ test('simple model with AdminUI enabled should add IAM policy only for fields th
     'Post.*',
     'Query.getPost',
     'Query.listPosts',
-    'Mutation.createPost',
-    'Mutation.updatePost',
-    'Mutation.deletePost',
     'Subscription.onCreatePost',
     'Subscription.onUpdatePost',
     'Subscription.onDeletePost',
diff --git a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts
index e81155e570..9369be5437 100644
--- a/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts
+++ b/packages/amplify-graphql-auth-transformer/src/graphql-auth-transformer.ts
@@ -556,12 +556,13 @@ export class AuthTransformer extends TransformerAuthBase implements TransformerA
     const addServiceDirective = (typeName: string, operation: ModelOperation, operationName: string | null = null): void => {
       if (operationName) {
         const includeDefault = this.doesTypeHaveRulesForOperation(acm, operation);
-        const providers = this.getAuthProviders(acm.getRolesPerOperation(operation, operation === 'delete'));
+        const rolesPerOperation = acm.getRolesPerOperation(operation, operation === 'delete');
+        const providers = this.getAuthProviders(rolesPerOperation);
         const operationDirectives = this.getServiceDirectives(providers, includeDefault);
         if (operationDirectives.length > 0) {
           addDirectivesToOperation(ctx, typeName, operationName, operationDirectives);
         }
-        this.addOperationToResourceReferences(typeName, operationName, acm.getRoles());
+        this.addOperationToResourceReferences(typeName, operationName, rolesPerOperation);
       }
     };
     // default model operations