MalformedPolicy
cloud
config_error
ai_generated
true
AccessDenied: The bucket policy is too large. The maximum size for a bucket policy is 20 KB.
ID: cloud/aws-s3-bucket-policy-too-large
90%Fix Rate
85%Confidence
1Evidence
2023-04-10First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS S3 API 2006-03-01 | active | — | — | — |
| AWS CLI 2.15 | active | — | — | — |
Root Cause
The combined size of the bucket policy JSON document exceeds AWS's 20 KB limit, often due to many statements or long ARNs.
generic中文
存储桶策略 JSON 文档的总大小超过 AWS 的 20 KB 限制,通常由过多语句或长 ARN 导致。
Official Documentation
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.htmlWorkarounds
-
95% success Use IAM policies instead of bucket policies for user/role-based access. Move per-user statements to IAM and keep only cross-account or service-wide rules in the bucket policy.
Use IAM policies instead of bucket policies for user/role-based access. Move per-user statements to IAM and keep only cross-account or service-wide rules in the bucket policy.
-
85% success Consolidate multiple statements using wildcards and condition keys. Example: change separate statements for each prefix to a single statement with 's3:prefix' condition and multiple values in Resource.
Consolidate multiple statements using wildcards and condition keys. Example: change separate statements for each prefix to a single statement with 's3:prefix' condition and multiple values in Resource.
-
90% success Use S3 Access Points with their own policies to offload permissions from the bucket policy. Create an access point and attach a policy there.
Use S3 Access Points with their own policies to offload permissions from the bucket policy. Create an access point and attach a policy there.
中文步骤
使用 IAM 策略代替存储桶策略来管理用户/角色权限。将用户级别的语句移到 IAM,存储桶策略仅保留跨账户或服务范围的规则。
使用通配符和条件键合并多个语句。例如:将每个前缀的单独语句改为一个带 's3:prefix' 条件和多个 Resource 值的语句。
使用 S3 接入点及其策略来分担存储桶策略的权限。创建接入点并在其上附加策略。
Dead Ends
Common approaches that don't work:
-
99% fail
Compressing the JSON or removing whitespace saves negligible space while breaking readability.
-
70% fail
Splitting policy across multiple buckets requires restructuring app logic and often isn't feasible.
-
85% fail
Using a different IAM role per statement on the same policy doesn't reduce size; it may increase it.