MalformedPolicy
policy
resource_error
ai_generated
true
错误:设置S3策略时出错:存储桶策略过大。最大策略大小为20 KB。
Error: Error putting S3 policy: The bucket policy is too large. Maximum policy size is 20 KB.
ID: policy/aws-s3-bucket-policy-too-large
80%修复率
84%置信度
1证据数
2023-06-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS S3 2023-04-01 | active | — | — | — |
| AWS CLI 2.13.0 | active | — | — | — |
根因分析
S3存储桶策略文档超过了AWS对存储桶策略施加的20 KB(20480字节)限制。
English
The S3 bucket policy document exceeds the AWS-imposed limit of 20 KB (20480 bytes) for bucket policies.
官方文档
https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html解决方案
-
Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.
-
Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.
-
Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.
无效尝试
常见但无效的做法:
-
60% 失败
The limit is on the actual byte size of the policy document; removing whitespace may reduce size slightly but often not enough if there are many statements.
-
40% 失败
While this reduces size, it may grant broad access, violating security policies. Also, the policy may still be too large if there are many conditions.
-
95% 失败
S3 buckets only support one policy; you cannot attach multiple policies to a single bucket.