Status: IN
CloudTrail administrator IAM permissions are separate from the permissions CloudTrail needs to deliver logs to S3 or send SNS notifications (which require separate bucket/topic policies).
Source: entries/2026/03/12/awscloudtrail-latest-userguide-security_iam_id-based-policy-exampleshtml.md