Most of the time I eventually create AWS IoT policies with the same content for Subscribe and Receive actions. If someone is allowed to subscribe one topic, it must be allowed to receive a message published to that topic.

Another approach is to specify the exact topics to subscribe and use everything wildcard (*) for Receive action. If someone is allowed to subscribe a list of topics, it will never receive messages from other topics, so why bother to specify the exact topics in Receive actions too?

The only use case when Receive should be different from Subscribe is when an already connected and subscribed thing/user must be disallowed to receive messages publish to one topic already subscribed. However this is a very particular situation.

This situation you describe is the exactly the situation described in the AWS documentation.

https://docs.aws.amazon.com/iot/latest/developerguide/policy-actions.html

iot:Receive

Represents the permission to receive a message from AWS IoT. The iot:Receive permission is checked every time a message is delivered to a client. Because this permission is checked on every delivery, it can be used to revoke permissions to clients that are currently subscribed to a topic.