How do I resolve the Lambda error "The final policy size is bigger than the limit"?

Short description

If your Lambda function's resource-based policy is over 20 KB, then Lambda returns a "The final policy size is bigger than the limit" error.

This error might occur when you create resources for other AWS services that require permission to access your function.

Note: The Lambda function resource-based policy limit is 20 KB and isn't adjustable.

To resolve this error, remove repetitive policy statements and replace them with consolidated statements that use wildcards (*) to reduce your function's policy's size.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Review your function's resource-based policies

To find and review your Lambda function's resource-based policy, run the following get-policy command:

aws lambda get-policy --function-name your-function

Note: Replace your-function with your function's name or Amazon Resource Name (ARN).

You can also use the command line JSON processor, jq, in the get-policy command to write advanced queries. For information on how to download and install jq, see Download jq on the jq website.

Example get-policy command that uses jq to format a Lambda function's policy as a JSON file:

aws lambda get-policy --function-name your-function | jq '.Policy|fromjson'

Example get-policy command that uses jq to find the size of a Lambda function's policy:

aws lambda get-policy --function-name your-function | jq -r '.Policy' | wc -c

Example get-policy command that uses jq to find the statement ID (Sid) of certain policy statements:

aws lambda get-policy --function-name your-function | jq '.Policy | fromjson 
| .Statement[] 
| select(.Principal.Service=="events.amazonaws.com") 
| .Sid'

Note: Replace events.amazonaws.com with the AWS service that invokes your function.

Example get-policy command that uses jq to get the Sid of resources whose names start with the same string:

aws lambda get-policy --function-name your-function | jq '.Policy| fromjson
| .Statement[] 
| select(.Condition.ArnLike."AWS:SourceArn" | startswith("arn:aws:events:region:account-id:rule/test-")) 
| .Sid'

Note: Replace arn:aws:events:region:account-id:rule/test- with a string shared by the ARNs of resources across multiple, repetitive policy statements.

In the resource-based policy, identify policy statements that you can replace with a wildcard. Note the Sid of each policy statement.

Remove repetitive policy statements

To remove each repetitive policy statement, run the following remove-permission command:

aws lambda remove-permission --function-name your-function --statement-id sid

Note: Replace your-function with your function's name or ARN. Replace sid with the Sid of the policy statement that you want to remove.

Add policy statements that use a wildcard (*)

To add new, consolidated policy statements that include a wildcard (*), run the following add-permission command:

aws lambda add-permission --function-name your-function \--statement-id 'sid' \
--action 'lambda:InvokeFunction' \
--principal 'events.amazonaws.com' \
--source-arn 'arn:aws:events:region:account-id:rule/test-*'

Note: Replace my-function with your function's name or ARN. Replace sid with a new Sid of any value. Replace events.amazonaws.com with the AWS service or AWS account principal that invokes your function. Replace arn:aws:events:region:account-id:rule/test-* with an ARN string (plus a wildcard) shared by the resources that you're granting permissions to.

For more information, see How can I use resource-based policies with Lambda to grant permission to AWS services?