The last policy allows the accountant to read any object on that bucket given that he has the specific URL of the object, and that he is using something like the AWS CLI with his credentials- which actually can't since he only has console access. He can't paste the URL on the browser and download the object since he is not authenticated.
The first two permissions grant the accountant the ability to list the objects on the bucket right from the AWS console. And, since he is already authenticated with AWS, he can then download the object because the last policy allows it.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.