Status: IN
IAM Access Analyzer policy generation requires a service role with trust to `access-analyzer.amazonaws.com` that has `cloudtrail:GetTrail`, `iam:GetServiceLastAccessedDetails`, `iam:GenerateServiceLastAccessedDetails`, and S3 read access to the trail bucket.
Source: entries/2026/03/11/IAM-latest-UserGuide-access_policies_generate-policyhtml.md