How do I resolve the error "The final policy size is bigger than the limit" from Lambda?

Last updated: 2021-04-14

When I set a trigger to invoke my AWS Lambda function, I get the error "The final policy size is bigger than the limit". How do I resolve the error?

Short description

If your Lambda function's resource-based policy is over 20 KB, then Lambda returns a The final policy size is bigger than the limit error.

The error can occur when you add policy statements to your function's resource-based policy by doing either of the following:

To resolve the error, reduce your function's policy's size by removing repetitive policy statements and replacing them with consolidated statements that use wildcards (*). For more information, see Lambda quotas and Cleaning up resource-based policies.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Review your function's resource-based policies

Note: For the following commands, replace my-function with your function's name or Amazon Resource Name (ARN).

1.    Run the following get-policy AWS CLI command to find and review your Lambda function's resource-based policy:

$ aws lambda get-policy --function-name my-function

Note: You can also use the command line JSON processor, jq, in the get-policy command to write advanced queries. For information on how to download and install jq, see Download jq on the jq website on GitHub.

Example get-policy command that uses jq to format a Lambda function's policy as a JSON file

$ aws lambda get-policy --function-name my-function | jq '.Policy|fromjson'

Example get-policy command that uses jq to find the size of a Lambda function's policy

$ aws lambda get-policy --function-name my-function | jq -r '.Policy' | wc -c

Example get-policy command that uses jq to find the statement ID (Sid) of certain policy statements

$ aws lambda get-policy --function-name my-function | jq '.Policy 
| fromjson 
| .Statement[] 
| select(.Principal.Service=="events.amazonaws.com") 
| .Sid'

Note: Replace events.amazonaws.com with the AWS service that invokes your function.

Example get-policy command that uses jq to get the Sid of resources whose names start with the same string

$ aws lambda get-policy --function-name my-function | jq '.Policy
| fromjson
| .Statement[] 
| select(.Condition.ArnLike."AWS:SourceArn" | startswith("arn:aws:events:region:account-id:rule/test-")) 
| .Sid'

Note: Replace arn:aws:events:region:account-id:rule/test- with a string shared by the ARNs of resources across multiple, repetitive policy statements.

2.    In the resource-based policy, identify policy statements that you can replace with a wildcard. Note the Sid of each policy statement.

Remove repetitive policy statements

Run the following remove-permission AWS CLI command to remove each repetitive policy statement:

$ aws lambda remove-permission --function-name my-function --statement-id sid

Note: Replace my-function with your function's name or ARN. Replace sid with the Sid of the policy statement that you want to remove.

Add policy statements that use a wildcard (*)

Run the following add-permission AWS CLI command to add new, consolidated policy statements that include a wildcard (*):

$ aws lambda add-permission --function-name my-function \
--statement-id 'sid' \
--action 'lambda:InvokeFunction' \
--principal 'events.amazonaws.com' \
--source-arn 'arn:aws:events:region:account-id:rule/test-*'

Note: Replace my-function with your function's name or ARN. Replace sid with a new Sid of any value. Replace events.amazonaws.com with the AWS service or account principal that invokes your function. Replace arn:aws:events:region:account-id:rule/test-* with an ARN string (plus a wildcard) shared by the resources that you're granting permissions to.

For more information, see Granting function access to AWS services.