AWS IAM GroupPolicy - Why is the s3:PutObject permission not working?

I have a group and I have applied the policy below to the group. I added a user to the group and created access keys for the user. I am able to Get from "mybucket" but I am not able to Put to "mybucket". When I try to Put, I get "Access Denied". Can anyone tell me what I am doing wrong. Please let me know.

   {
       "Statement":[{
          "Effect":"Allow",
          "Action":["s3:PutObject","s3:GetObj开发者_开发技巧ect"],
          "Resource":["arn:aws:s3:::mybucket","arn:aws:s3:::mybucket/*"] 
          },
          {
          "Effect":"Deny",
          "Action":["*"],
          "NotResource":["arn:aws:s3:::mybucket","arn:aws:s3:::mybucket/*"]  
          }
       ]
    }

EDIT: Someone asked me to state the goal of the policy. I want to "Allow" only PUT and GET permissions to the group for the specified buckets. I want to explicitly "Deny" all other permissions to the group for all resources NOT (NotResource) specified. I added the explicit "Deny" based an article AWS posted that suggested that it was a good practice to do so.

From: IAM Language Info

Each policy must cover only a single bucket and resources within that bucket (when writing a policy, don't include statements that refer to other buckets or resources in other buckets)

Deny statements always take precedence over Allow statements, which would imply that the above policy should block all access by the user. How are you doing the Get and Put requests? Is it possible that the Gets were performed anonymously (without authentication)?

It would be helpful to understand what your goal was for the above policy? What is the purpose of the Deny statement?