Amazon Inspector Public Bucket Access Denied

We have an 'unauthorised API call' alarm that is being tripped by Amazon Inspector. It's attempting to download windows.zip from an AWS Public Bucket. Here is a snippet of the Cloudwatch log:-

    "eventSource": "s3.amazonaws.com",
    "eventName": "GetObject",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "Redacted IP Address",
    "userAgent": "[aws-sdk-go/1.44.78 (go1.18.3; windows; amd64) amazon-ssm-agent/]",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "bucketName": "aws-ssm-document-attachments-ap-southeast-2",
        "Host": "aws-ssm-document-attachments-ap-southeast-2.s3.ap-southeast-2.amazonaws.com",
        "key": "e89/810622359321/AmazonInspector2-InspectorSsmPlugin!d6f98620-d464-4b63-ab7c-e10b41c673c6/20/windows.zip"
    },

We've setup an Instance role and attached permissions policy as specified here:- https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-minimum-s3-permissions.html

In fact, I added GetBucket* and ListBuckets at the Bucket level as well just in case that was the issue.

When I look in Systems Manager, Fleet Manager it showed failures invoking AmazonInspector2-ConfigureInspectorSsmPlugin and AmazonInspector2-InvokeInspectorSsmPlugin for the instance in question.

We are getting quite a few of these 'Access Denied' errors, but I have allocated the listed permissions. I also checked that my VPC Endpoint Policy does not restrict access.

The only issue might be there is a Service Control Policy that is denying access. Has anybody got any other insights as to what might be causing this?