# Error: Error putting S3 policy: The bucket policy is too large. Maximum policy size is 20 KB.

- **ID:** `policy/aws-s3-bucket-policy-too-large`
- **Domain:** policy
- **Category:** resource_error
- **Error Code:** `MalformedPolicy`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

The S3 bucket policy document exceeds the AWS-imposed limit of 20 KB (20480 bytes) for bucket policies.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| AWS S3 2023-04-01 | active | — | — |
| AWS CLI 2.13.0 | active | — | — |

## Workarounds

1. **Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.** (85% success)
   ```
   Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.
   ```
2. **Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.** (80% success)
   ```
   Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.
   ```
3. **Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.** (75% success)
   ```
   Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.
   ```

## Dead Ends

- **** — The limit is on the actual byte size of the policy document; removing whitespace may reduce size slightly but often not enough if there are many statements. (60% fail)
- **** — While this reduces size, it may grant broad access, violating security policies. Also, the policy may still be too large if there are many conditions. (40% fail)
- **** — S3 buckets only support one policy; you cannot attach multiple policies to a single bucket. (95% fail)