{"id":"iam-policy-generation-no-control-tower-trails","text":"AWS Control Tower trails are not supported for IAM Access Analyzer policy generation because organization logs go to a separate Log Archive account with restricted S3 bucket permissions.","truth_value":"IN","source":"entries/2026/03/11/IAM-latest-UserGuide-access_policies_generate-policyhtml.md","source_url":"","source_hash":"3c51b860f802c822","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-policy-generation-no-control-tower-trails","truth_value":"IN","reason":"premise"}]}}