MalformedPolicy
policy
resource_error
ai_generated
true
Error: Error putting S3 policy: The bucket policy is too large. Maximum policy size is 20 KB.
ID: policy/aws-s3-bucket-policy-too-large
80%Fix Rate
84%Confidence
1Evidence
2023-06-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS S3 2023-04-01 | active | — | — | — |
| AWS CLI 2.13.0 | active | — | — | — |
Root Cause
The S3 bucket policy document exceeds the AWS-imposed limit of 20 KB (20480 bytes) for bucket policies.
generic中文
S3存储桶策略文档超过了AWS对存储桶策略施加的20 KB(20480字节)限制。
Official Documentation
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.htmlWorkarounds
-
85% success Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.
Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.
-
80% success Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.
Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.
-
75% success Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.
Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.
中文步骤
Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.
Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.
Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.
Dead Ends
Common approaches that don't work:
-
60% fail
The limit is on the actual byte size of the policy document; removing whitespace may reduce size slightly but often not enough if there are many statements.
-
40% fail
While this reduces size, it may grant broad access, violating security policies. Also, the policy may still be too large if there are many conditions.
-
95% fail
S3 buckets only support one policy; you cannot attach multiple policies to a single bucket.