Give employee access to S3.

Here's some documentation on setting up permissions for access analyzer. Let me know if this helps. https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html

Hi!

Where is your employee seeing the access-analyzer:ListPolicyGenerations error? Is this in console on S3? Some services in AWS (Including S3) use access-analyzer to analyze properties such as if an S3 bucket is public: https://s3.console.aws.amazon.com/s3/access?region=us-east-1. The error your employee may be seeing may be a general warning banner on the S3 service - but should not interfere if your employee is only trying to manage an S3 bucket and the objects within.

It depends on what your employee is trying to do and how you have S3 configured.

• If the bucket is encrypted, ensure the KMS Keys also grant appropriate permissions (KMS Key policies if Customer Managed) and IAM Permissions as needed.
• If they're trying to fully manage S3, S3FullAccess will work, but keep in mind this includes permissions such as PutAccountPublicAccessBlock which can change the account setting for public access blocking on the account (and S3).
• I sometimes recommend attaching an AWS Managed Policy that grants read permissions if they are in console such as arn:aws:iam::aws:policy/ReadOnlyAccess (This includes some access-analyzer permissions and can immediately unblock you). Keep in mind that this can provide data access, so it may make sense

Keep in mind that some companies and AWS administrators even believe AmazonS3FullAccess to be over-permissive and choose to do more scoping on resources as well.