Why are permission policies duplicated whenever I toggle a Lambda's logging configuration between text and JSON

The behavior you're experiencing does seem unusual and could potentially be a bug in the AWS Lambda console or service.

When you toggle a Lambda function's logging configuration between text and JSON formats, Lambda should typically just update the existing permissions rather than creating new policies each time. The function needs the logs:PutLogEvents permission to send logs to CloudWatch Logs, which is usually included in the AWSLambdaBasicExecutionRole or added to the function's execution role by default.

Normally, changing the log format shouldn't require creating new permission policies. The same permissions are needed for both text and JSON logging formats. The fact that new policies are being created each time you toggle between formats, eventually hitting the policy limit, suggests there might be an issue with how the Lambda service is handling these configuration changes.

To work around this issue, you could try the following:

1. Manually edit the function's execution role to include the necessary CloudWatch Logs permissions, rather than relying on Lambda to add them automatically.

2. Clean up the duplicate policies in the IAM console to stay under the limit.

3. Use the AWS CLI or SDK to update the logging configuration, which might avoid the issue you're seeing in the console.

It would be advisable to report this behavior to AWS support, as it appears to be unintended and could potentially cause issues for other users as well. They can investigate and potentially fix the issue in a future update to the Lambda service or console.
Sources
Configuring advanced logging controls for Lambda functions - AWS Lambda
Troubleshoot CloudWatch errors when creating AWS resources | AWS re:Post