7.7 Cross-Origin Resource Sharing (CORS) on AWS S3


What is CORS?

Cross-Origin Resource Sharing (CORS) is a security feature that allows or restricts web applications running at one origin (domain) to access resources from a different origin. In the context of AWS S3, CORS settings determine how data in an S3 bucket can be accessed from a web page hosted on a different domain.

Why is CORS Important for S3 Buckets?

  • Security: CORS provides an additional layer of security by ensuring that only authorized domains have access to your S3 content.
  • Flexibility: It enables web applications to securely access resources from different domains, which is essential for modern web development practices.
  • Control: Offers granular control over how and who can access the data in your S3 buckets.

Setting Up CORS on AWS S3 via Management Console

  1. Log In and Select Bucket:
    • Access the AWS Management Console and navigate to the S3 service.
    • Select the bucket you want to configure CORS for.
  2. Access Bucket Permissions:
    • In the bucket settings, click on the “Permissions” tab.
  3. CORS Configuration:
    • Scroll to the “CORS configuration” section.
    • Click on “Edit” to modify or add CORS rules.
    • You can specify various elements such as allowed origins, allowed methods (GET, PUT, POST, DELETE), and headers.
  4. Enter CORS Rules:
    • Use XML format to define your CORS rules. For example:

5.Save Changes:

  • After setting your CORS configuration, save the changes.

In order to test the CORS , you need to enable the Public access on S3 bucket level

Changes on Bucket policy level

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
            "Resource": [

For Testing of the CORS via command line

You can also test CORS using curl from the command line. This method is more technical and is usually used for troubleshooting.

  1. Open your command line tool.
  2. Use the following curl command, replacing BUCKET-NAME and OBJECT-KEY with your bucket and object details, and ORIGIN with the domain you want to simulate the request from:
curl -H "Origin: http://example.com" \
     -H "Access-Control-Request-Method: GET" \
     -I https://BUCKET-NAME.s3.amazonaws.com/OBJECT-KEY
curl -H "Origin: http://awstrianingwithjagan.com" -H "Access-Control-Request-Method: GET" -I https://awstrainingwithjagandemo.s3.amazonaws.com/aws_invoice_jan.docx



Configuring CORS on AWS S3 via AWS CLI

  1. Create a CORS Configuration File:
    • Prepare a CORS configuration in XML format and save it as a file (e.g., cors-config.xml).
  2. Use AWS CLI to Apply Configuration:
    • Use the following command to apply your CORS configuration to a specific bucket:

aws s3api put-bucket-cors --bucket YOUR_BUCKET_NAME --cors-configuration file://cors-config.xml

3.Verify Configuration:

  • To confirm the CORS settings, use:
aws s3api get-bucket-cors --bucket YOUR_BUCKET_NAME

Understanding CORS Configuration Elements

  • AllowedOrigin: Specifies which origins are allowed to access the resources.
  • AllowedMethod: Defines the HTTP methods (GET, POST, etc.) that are permitted.
  • MaxAgeSeconds: Indicates how long the results of a preflight request can be cached.
  • AllowedHeader: Specifies which headers are allowed in a preflight request.

Best Practices and Considerations

  • Security: Be cautious with the origins you allow. Specifying * (all origins) can be risky.
  • Testing: Thoroughly test CORS settings to ensure they meet your application’s requirements.
  • Monitoring: Regularly review and update your CORS configuration as your application needs evolve.


Implementing CORS on AWS S3 is a critical step for enabling secure, cross-origin access to your bucket resources. Whether through the AWS Management Console or the CLI, setting up CORS is a straightforward process that enhances the security and accessibility of your web applications.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *