# Error: Error putting S3 bucket policy: The bucket policy is too large. Maximum policy size is 20 KB. - **ID:** `policy/aws-s3-bucket-policy-size-limit-exceeded` - **Domain:** policy - **Category:** resource_error - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause The S3 bucket policy document exceeds the 20 KB size limit imposed by AWS for bucket policies, often due to excessive number of statements, long ARNs, or large condition blocks. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | AWS S3 | active | — | — | | AWS CLI 2.x | active | — | — | | AWS SDK for Python (boto3) 1.28+ | active | — | — | ## Workarounds 1. **Consolidate multiple statements with the same effect, principal, and action into a single statement using a list of resources. For example, replace separate statements for each bucket with one statement that lists all bucket ARNs in the Resource field. Use `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the file size with `ls -l policy.json`.** (85% success) ``` Consolidate multiple statements with the same effect, principal, and action into a single statement using a list of resources. For example, replace separate statements for each bucket with one statement that lists all bucket ARNs in the Resource field. Use `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the file size with `ls -l policy.json`. ``` 2. **Move some permissions to IAM policies attached to users or roles instead of the bucket policy. For example, if the bucket policy grants access to multiple IAM users, create an IAM policy that grants the same permissions and attach it to those users. This reduces the bucket policy size.** (80% success) ``` Move some permissions to IAM policies attached to users or roles instead of the bucket policy. For example, if the bucket policy grants access to multiple IAM users, create an IAM policy that grants the same permissions and attach it to those users. This reduces the bucket policy size. ``` 3. **Use S3 Access Points or S3 Object Lambda to offload some policy logic from the bucket policy. Access Points have their own policies (20 KB limit per access point) and can be used to delegate access control.** (70% success) ``` Use S3 Access Points or S3 Object Lambda to offload some policy logic from the bucket policy. Access Points have their own policies (20 KB limit per access point) and can be used to delegate access control. ``` ## Dead Ends - **** — While removing whitespace helps, the policy size limit is based on the JSON document's byte count. Removing whitespace typically saves only a few hundred bytes, which is insufficient for policies that are significantly over 20 KB. (60% fail) - **** — S3 buckets can only have one bucket policy. AWS does not support multiple policies on a single bucket. You must consolidate all statements into one policy. (90% fail) - **** — IAM role trust policies also have size limits (10 KB for trust policy, 6 KB for permissions policy). The same issue may arise with IAM policies if they are too large. (50% fail)