By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I resolve the IAM error "Maximum policy size of xxxxx bytes exceeded for the user or role."

3 minute read
1

I received an AWS Identity and Access Management (IAM) error message similar to the following: "Maximum policy size of xxxxx bytes exceeded for the user or role." How can I increase the default managed policy or character size limit for an IAM role or user?

Short description

The maximum limit for attaching a managed policy to an IAM role or user is 20. The maximum character size limit for managed policies is 6,144. For more information, see IAM object quotas and IAM and AWS STS quotas name requirements, and character limits.

Note: The default limit for managed policies is 10. To increase the default limit from 10 to up to 20, you must submit a request for a service quota increase.

Resolution

If you reached the managed policy or character size limit for an IAM group, user, role, or policy, then use these workarounds, depending on your scenario.

IAM groups

Create another IAM group. You can have up to 300 IAM groups per account. Attach the managed policy to the IAM user instead of the IAM group. You can attach up to 20 managed policies to IAM roles and users.

IAM users

Create more IAM groups and attach the managed policy to the group. You can assign IAM users to up to 10 groups. You can also attach up to 10 managed policies to each group, for a maximum of 120 policies (20 managed policies attached to the IAM user, 10 IAM groups, with 10 policies each).

Combine managed policies

Combine multiple managed policies into a single policy. You can add up to 6,144 characters per managed policy.

Reduce the character size of the managed policies

Remove duplicate permissions by combining all actions with the same Effect. Combine resource and condition statements. Remove unnecessary statements such as Sid. Use wildcards (*) for actions with the same suffix or prefix.

Use inline policies instead of managed policies

You can use as many inline policies as you want, but the aggregate policy size can't exceed the character quotas. The inline policy character limits are 2,048 for users, 10,240 for roles, and 5,120 for groups.

Important: It's a best practice to use customer managed policies instead of inline policies.

Related information

Inline policies

Security best practices in IAM

CIS AWS Foundations Benchmark controls

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access Management
Language
English

Related videos

Watch Aarti’s video to learn more (4:10)
Watch Aarti’s video to learn more (4:10)
AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
No comments

Relevant content