# 错误：设置S3策略时出错：存储桶策略过大。最大策略大小为20 KB。

- **ID:** `policy/aws-s3-bucket-policy-too-large`
- **领域:** policy
- **类别:** resource_error
- **错误码:** `MalformedPolicy`
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

S3存储桶策略文档超过了AWS对存储桶策略施加的20 KB（20480字节）限制。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| AWS S3 2023-04-01 | active | — | — |
| AWS CLI 2.13.0 | active | — | — |

## 解决方案

1. ```
   Replace the bucket policy with an IAM policy and attach it to the relevant users/roles. For example, create an IAM policy with the same permissions and attach it to a role: `aws iam create-policy --policy-name my-bucket-access --policy-document file://policy.json` then `aws iam attach-role-policy --role-name my-role --policy-arn arn:aws:iam::123456789012:policy/my-bucket-access`.
   ```
2. ```
   Use S3 Access Points with separate policies to distribute permissions. Create an access point and attach a smaller policy: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket --name my-access-point --policy file://small-policy.json`. Then users access via the access point ARN.
   ```
3. ```
   Consolidate multiple statements into one with multiple actions and conditions to reduce overhead. For example, combine `s3:GetObject` and `s3:PutObject` into a single statement with `"Action": ["s3:GetObject", "s3:PutObject"]`.
   ```

## 无效尝试

- **** — The limit is on the actual byte size of the policy document; removing whitespace may reduce size slightly but often not enough if there are many statements. (60% 失败率)
- **** — While this reduces size, it may grant broad access, violating security policies. Also, the policy may still be too large if there are many conditions. (40% 失败率)
- **** — S3 buckets only support one policy; you cannot attach multiple policies to a single bucket. (95% 失败率)