I am trying to allow Public Access to an Object via ACL in a bucket which is Private however I am getting message Access Denied. Is the Bucket Level policy preventing any changes in underlying objects?
Bucket Policy have priority over ACL policy
When with multiple access control mechanisms come in to play, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.
In accordance with the principle of least-privilege, decisions default to DENY and an explicit DENY always trumps an ALLOW. For example, if an IAM policy grants access to an object, the S3 bucket policies denies access to that object, and there is no S3 ACL, then access will be denied.
Similarly, if no method specifies an ALLOW, then the request will be denied by default. Only if no method specifies a DENY and one or more methods specify an ALLOW will the request be allowed.
So it s is basically a combination of all the access control mechanisms. If your ACL or Bucket Policy are are set to Deny, then access will be denied.
There is a good diagram here, explaining this really well:
The content of the training needs to be updated to include that the " Block public access (bucket settings)" needs to be adjusted in order to even create an ACL which allows public access to an object. Otherwise you can not create it at all.