A quick glance at the two policies indicates that ViewOnlyAccess provides basic access to 93 unique services, while ReadOnlyAccess provides 273.
It’s going to depend on the tables you’re syncing, but that’s quite a difference, so I’d be surprised if ViewOnlyAccess didn’t run into more permission errors.
If you’re interested, here are the services not mentioned in ViewOnlyAccess but mentioned in ReadOnlyAccess. Some of these have corresponding CQ tables, some don’t: Gist Link
In any case, we’d always recommend reviewing the tables you need and tailoring your policy to only allow access to the services/resources you’re syncing.
While ViewOnlyAccess supports some services like iam, it only provides access to the list* actions and not any of the Get*. This is common across many of the other services as well. ViewOnlyAccess is intended to only give a very limited view of the AWS account.
If you really want to generate a narrowly permissive policy for your IAM access, I would suggest investigating the IAM Access Analyzer policy generation functionality: IAM Access Analyzer policy generation
This enables AWS to analyze your CloudTrail events and generate a policy based on that activity.
Using IAM Access Analyzer for that sounds like a great recommendation indeed, but we would need to repeat that exercise every time we add a new table. The main reason I asked this question is that we would like to prevent any kind of data-related access for compliance reasons.