How can I increase the default managed policies or character size limit for an IAM role or user?

Last updated: 2021-08-26

I want to attach more than 20 managed policies or increase the character size limit for an AWS Identity and Access Management (IAM) role or user.

Short description

The maximum limit for attaching a managed policy to an IAM role or user is 20. The maximum character size limit for managed policies is 6,144. For more information, see IAM object quotas and IAM and AWS STS quotas.

Note: The default limit for managed policies is 10. To increase the default limit from 10 to up to 20, you must submit a request for a service quota increase.

Resolution

If you reached the managed policy or character size limit for an IAM group, user, role, or policy, then use the following workaround depending on your scenario.

IAM groups

Create another IAM group. You can have up to 300 IAM groups per account. Attach the managed policy to the IAM user instead of the IAM group. You can attach up to 20 managed policies to IAM roles and users.

IAM users

Create more IAM groups and attach the managed policy to the group. You can assign IAM users to up to 10 groups. You can also attach up to 10 managed policies to each group, for a maximum of 120 policies (20 managed policies attached to the IAM user, 10 IAM groups, with 10 policies each).

Combine managed policies

Combine multiple managed policies into a single policy. You can add up to 6,144 characters per managed policy.

Reduce the character size of the managed policies

Remove duplicate permissions by combing all actions with the same Effect. Combine resource and condition statements, and remove unnecessary statements such as Sid. Use wildcards (*) for actions with the same suffix or prefix.

Use inline policies instead of managed policies

You can use as many inline policies as you want, but the aggregate policy size can't exceed the character quotas. The inline policy character limits are 2,048 for users, 10,240 for roles, and 5,120 for groups.

Important: It's a best practice to use customer managed policies instead of inline policies.


Did this article help?


Do you need billing or technical support?