# AccessDenied: The bucket policy is too large. The maximum size for a bucket policy is 20 KB. - **ID:** `cloud/aws-s3-bucket-policy-too-large` - **Domain:** cloud - **Category:** config_error - **Error Code:** `MalformedPolicy` - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The combined size of the bucket policy JSON document exceeds AWS's 20 KB limit, often due to many statements or long ARNs. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | AWS S3 API 2006-03-01 | active | — | — | | AWS CLI 2.15 | active | — | — | ## Workarounds 1. **Use IAM policies instead of bucket policies for user/role-based access. Move per-user statements to IAM and keep only cross-account or service-wide rules in the bucket policy.** (95% success) ``` Use IAM policies instead of bucket policies for user/role-based access. Move per-user statements to IAM and keep only cross-account or service-wide rules in the bucket policy. ``` 2. **Consolidate multiple statements using wildcards and condition keys. Example: change separate statements for each prefix to a single statement with 's3:prefix' condition and multiple values in Resource.** (85% success) ``` Consolidate multiple statements using wildcards and condition keys. Example: change separate statements for each prefix to a single statement with 's3:prefix' condition and multiple values in Resource. ``` 3. **Use S3 Access Points with their own policies to offload permissions from the bucket policy. Create an access point and attach a policy there.** (90% success) ``` Use S3 Access Points with their own policies to offload permissions from the bucket policy. Create an access point and attach a policy there. ``` ## Dead Ends - **** — Compressing the JSON or removing whitespace saves negligible space while breaking readability. (99% fail) - **** — Splitting policy across multiple buckets requires restructuring app logic and often isn't feasible. (70% fail) - **** — Using a different IAM role per statement on the same policy doesn't reduce size; it may increase it. (85% fail)