I have an AWS root user which I used to create a S3 bucket on Amazon.
Now I want to make this bucket public by adding following policy:

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::<my bucket name>/*"
   }]
}

Where <my bucket name> is the name of the bucket. When I try to save this policy I get a 403 access denied.

I tried explicitly setting the s3:PutBucketPolicy permission but it still gives a 403. Anybody knows why?

This is the image error:

Uncheck 2 rows for fixing the access denied. But please remember reading it clearly and consider it before you create a new bucket. Permission is really important.

If deploying via CloudFormation or AWS SAM, you need to explicitly allow the bucket to be public like so:

  MyExampleBucket:
    Type: AWS::S3::Bucket
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicPolicy: false
        RestrictPublicBuckets: false

Then you can specify an AWS::S3::BucketPolicy that allows public access.

I've tried creating a new bucket and by setting the following permission parameters unchecked (false) the bucket policy can now be adjusted to make the bucket objects public. Afterwards I ticked off the four previous checkboxes and now it works.

permissions

For folks struggling with this error using aws-cdk and already existing bucket:

Take a look if you are not trying to modify bucket policy when you have set "blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL" or any other blocking s3.BlockPublicAccess in Bucket properties.

You have to turn it off or remove that property if you want to modify the policy. After deploying (modifying) policy you can set the blockPublicAccess property back again.

2023 Update: cdk created bucket

In case someone comes here trying to deploy a bucket: I needed to add blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,

  const siteBucket = new Bucket(stack, BUCKET_ID, {
    bucketName: `${BUCKET_NAME}-${buildConfig.Environment}`,
    publicReadAccess: true,
    blockPublicAccess: BlockPublicAccess.BLOCK_ACLS,
    removalPolicy: RemovalPolicy.DESTROY,
    websiteIndexDocument: 'index.html',
  })

The original blog post on block public access (https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/) explains the observed behavior.

It appears you have created the bucket via the console, which means 'block public access' rules are on by default. This includes 'block public access to buckets and objects granted through new public bucket policies'. This option "disallows ... public bucket policies, and ... future PUT requests that include them will fail." This is the exact error described.

Since you are attempting to use a bucket policy, not an ACL, you would need to disable 'block public access to buckets and objects granted through new public bucket policies'. Uncheck that block option and your put will be successful.
This presumes that you have the ability to unblock public access at the account level.

Note that since April 2023, the means by which you create the bucket no longer influences this behavior, see https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/. The block behavior is the same whether a bucket is created via console, CLI, SDK, CloudFormation, CDK, etc.

Just in case anyone is reading this and using Terraform, you have to first use this resource when creating any public policy:

resource "aws_s3_bucket_public_access_block" "example" {
    bucket = aws_s3_bucket.example.id

    block_public_acls       = false
    block_public_policy     = false
}

call this before using putBucketPolicy:

await s3.putPublicAccessBlock({
      Bucket: bucket_name,
      PublicAccessBlockConfiguration: {
        BlockPublicAcls: false,
        IgnorePublicAcls: false,
        BlockPublicPolicy: false,
        RestrictPublicBuckets: false
      }
    }).promise();