{ "id": "policy/aws-s3-bucket-policy-too-large", "signature": "Error: Error putting S3 policy: The bucket policy is too large. Maximum policy size is 20 KB.", "signature_zh": "错误:设置S3策略时出错:存储桶策略过大。最大策略大小为20 KB。", "regex": "Error putting S3 policy: The bucket policy is too large\\. Maximum policy size is 20 KB\\.", "domain": "policy", "category": "resource_error", "subcategory": null, "root_cause": "The S3 bucket policy document exceeds the AWS-imposed limit of 20 KB (20480 bytes) for bucket policies.", "root_cause_type": "generic", "root_cause_zh": "S3存储桶策略文档超过了AWS对存储桶策略施加的20 KB(20480字节)限制。", "versions": [ { "version": "AWS S3 2023-04-01", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS CLI 2.13.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The limit is on the actual byte size of the policy document; removing whitespace may reduce size slightly but often not enough if there are many statements.", "fail_rate": 0.6, "condition": "", "sources": [] }, { "action": "", "why_fails": "While this reduces size, it may grant broad access, violating security policies. Also, the policy may still be too large if there are many conditions.", "fail_rate": 0.4, "condition": "", "sources": [] }, { "action": "", "why_fails": "S3 buckets only support one policy; you cannot attach multiple policies to a single bucket.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.", "success_rate": 0.85, "how": "Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.", "condition": "", "sources": [] }, { "action": "Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.", "success_rate": 0.8, "how": "Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.", "condition": "", "sources": [] }, { "action": "Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `\"Action\": [\"s3:GetObject\", \"s3:PutObject\"]`.", "success_rate": 0.75, "how": "Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `\"Action\": [\"s3:GetObject\", \"s3:PutObject\"]`.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.", "Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.", "Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `\"Action\": [\"s3:GetObject\", \"s3:PutObject\"]`." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html", "official_doc_section": null, "error_code": "MalformedPolicy", "verification_tier": "ai_generated", "confidence": 0.84, "fix_success_rate": 0.8, "resolvable": "true", "first_seen": "2023-06-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }