{"id":"iam-policy-generation-service-role-required","text":"IAM Access Analyzer policy generation requires a service role with trust to `access-analyzer.amazonaws.com` that has `cloudtrail:GetTrail`, `iam:GetServiceLastAccessedDetails`, `iam:GenerateServiceLastAccessedDetails`, and S3 read access to the trail bucket.","truth_value":"IN","source":"entries/2026/03/11/IAM-latest-UserGuide-access_policies_generate-policyhtml.md","source_url":"","source_hash":"3c51b860f802c822","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"iam-policy-generation-service-role-required","truth_value":"IN","reason":"premise"}]}}