Error: Error putting S3 bucket policy: The bucket policy is too large. Maximum policy size is 20 KB.
ID: policy/aws-s3-bucket-policy-size-limit-exceeded
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS S3 | active | — | — | — |
| AWS CLI 2.x | active | — | — | — |
| AWS SDK for Python (boto3) 1.28+ | active | — | — | — |
Root Cause
The S3 bucket policy document exceeds the 20 KB size limit imposed by AWS for bucket policies, often due to excessive number of statements, long ARNs, or large condition blocks.
generic中文
S3 存储桶策略文档超过了 AWS 对存储桶策略施加的 20 KB 大小限制,通常是由于语句过多、ARN 过长或条件块过大。
Official Documentation
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.htmlWorkarounds
-
85% success Consolidate multiple statements with the same effect, principal, and action into a single statement using a list of resources. For example, replace separate statements for each bucket with one statement that lists all bucket ARNs in the Resource field. Use `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the file size with `ls -l policy.json`.
Consolidate multiple statements with the same effect, principal, and action into a single statement using a list of resources. For example, replace separate statements for each bucket with one statement that lists all bucket ARNs in the Resource field. Use `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the file size with `ls -l policy.json`.
-
80% success Move some permissions to IAM policies attached to users or roles instead of the bucket policy. For example, if the bucket policy grants access to multiple IAM users, create an IAM policy that grants the same permissions and attach it to those users. This reduces the bucket policy size.
Move some permissions to IAM policies attached to users or roles instead of the bucket policy. For example, if the bucket policy grants access to multiple IAM users, create an IAM policy that grants the same permissions and attach it to those users. This reduces the bucket policy size.
-
70% success Use S3 Access Points or S3 Object Lambda to offload some policy logic from the bucket policy. Access Points have their own policies (20 KB limit per access point) and can be used to delegate access control.
Use S3 Access Points or S3 Object Lambda to offload some policy logic from the bucket policy. Access Points have their own policies (20 KB limit per access point) and can be used to delegate access control.
中文步骤
将具有相同效果、主体和操作的多个语句合并为一个语句,使用资源列表。例如,将每个存储桶的单独语句替换为一个语句,在 Resource 字段中列出所有存储桶 ARN。使用 `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` 并使用 `ls -l policy.json` 检查文件大小。
将某些权限移至附加到用户或角色的 IAM 策略,而不是存储桶策略。例如,如果存储桶策略授予多个 IAM 用户访问权限,请创建一个授予相同权限的 IAM 策略并将其附加到这些用户。这减小了存储桶策略的大小。
使用 S3 访问点或 S3 Object Lambda 将某些策略逻辑从存储桶策略中卸载。访问点有自己的策略(每个访问点 20 KB 限制),可用于委派访问控制。
Dead Ends
Common approaches that don't work:
-
60% fail
While removing whitespace helps, the policy size limit is based on the JSON document's byte count. Removing whitespace typically saves only a few hundred bytes, which is insufficient for policies that are significantly over 20 KB.
-
90% fail
S3 buckets can only have one bucket policy. AWS does not support multiple policies on a single bucket. You must consolidate all statements into one policy.
-
50% fail
IAM role trust policies also have size limits (10 KB for trust policy, 6 KB for permissions policy). The same issue may arise with IAM policies if they are too large.