{ "id": "cloud/aws-s3-bucket-policy-too-large", "signature": "AccessDenied: The bucket policy is too large. The maximum size for a bucket policy is 20 KB.", "signature_zh": "访问被拒:存储桶策略过大。存储桶策略的最大大小为 20 KB。", "regex": "The bucket policy is too large.*maximum size.*20 KB", "domain": "cloud", "category": "config_error", "subcategory": null, "root_cause": "The combined size of the bucket policy JSON document exceeds AWS's 20 KB limit, often due to many statements or long ARNs.", "root_cause_type": "generic", "root_cause_zh": "存储桶策略 JSON 文档的总大小超过 AWS 的 20 KB 限制,通常由过多语句或长 ARN 导致。", "versions": [ { "version": "AWS S3 API 2006-03-01", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS CLI 2.15", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Compressing the JSON or removing whitespace saves negligible space while breaking readability.", "fail_rate": 0.99, "condition": "", "sources": [] }, { "action": "", "why_fails": "Splitting policy across multiple buckets requires restructuring app logic and often isn't feasible.", "fail_rate": 0.7, "condition": "", "sources": [] }, { "action": "", "why_fails": "Using a different IAM role per statement on the same policy doesn't reduce size; it may increase it.", "fail_rate": 0.85, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Use IAM policies instead of bucket policies for user/role-based access. Move per-user statements to IAM and keep only cross-account or service-wide rules in the bucket policy.", "success_rate": 0.95, "how": "Use IAM policies instead of bucket policies for user/role-based access. Move per-user statements to IAM and keep only cross-account or service-wide rules in the bucket policy.", "condition": "", "sources": [] }, { "action": "Consolidate multiple statements using wildcards and condition keys. Example: change separate statements for each prefix to a single statement with 's3:prefix' condition and multiple values in Resource.", "success_rate": 0.85, "how": "Consolidate multiple statements using wildcards and condition keys. Example: change separate statements for each prefix to a single statement with 's3:prefix' condition and multiple values in Resource.", "condition": "", "sources": [] }, { "action": "Use S3 Access Points with their own policies to offload permissions from the bucket policy. Create an access point and attach a policy there.", "success_rate": 0.9, "how": "Use S3 Access Points with their own policies to offload permissions from the bucket policy. Create an access point and attach a policy there.", "condition": "", "sources": [] } ], "workarounds_zh": [ "使用 IAM 策略代替存储桶策略来管理用户/角色权限。将用户级别的语句移到 IAM,存储桶策略仅保留跨账户或服务范围的规则。", "使用通配符和条件键合并多个语句。例如:将每个前缀的单独语句改为一个带 's3:prefix' 条件和多个 Resource 值的语句。", "使用 S3 接入点及其策略来分担存储桶策略的权限。创建接入点并在其上附加策略。" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html", "official_doc_section": null, "error_code": "MalformedPolicy", "verification_tier": "ai_generated", "confidence": 0.85, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2023-04-10", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }