S3 policy when using root access key and secret key

Question

So, I recently created a new AWS account to use S3 storage. I currently have only my root user account. I am using java aws-sdk to upload files. S3Client object is setup using my root account secret key and access key. Also, simply using aws-sdk inbuilt putObject() method to upload. Nothing fancy here.

Now, I tried attaching policy to my bucket to restrict upload and download feature on the bucket. Firstly, I had given all S3object permissions to my bucket and could upload successfully through the code. Then I tried to attach only getObject, putObject, getObjectAcl, putObjectAcl in my policy, and could again upload successfully.

After this, I removed putObject and putObjectAcl, only had getObject permissions but surprisingly could still upload files using my code. I believe removing upload permissions would give me 403 Access Denied. Is it because I am using my root user access key and secret key, which gives some extra rights? Or is there something fundamental that I'm missing here?

My Policy without upload permission:

{
  "Id": "PolicyXXXXXXX",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StmtXXXXXX",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectAcl",
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::11111111111:root"
        ]
      }
    }
  ]
}

Answer 1

The user whose access key and secret key you are using, should have got the putObject permissions.

If resource-based policies and identity-based policies both apply to a request, then AWS checks all the policies for at least one Allow. Please refer here for policy evaluation logic.

If an action is allowed by an identity-based policy, a resource-based policy, or both, then AWS allows the action.