Cross Origin Resource Sharing (CORS) with S3
Start course

This course has been designed to introduce you to the different security controls and methods that have been built into Amazon S3 to protect your data and enhance your overall security posture. You will learn about resource ownership, access control policies, S3 Access Points, Access Analyzer, and how to use Cross Origin Resource Sharing (CORS).

If you have any feedback relating to this course, please contact us at

Learning Objectives

  • Understand resource ownership in Amazon S3
  • Use policies to control access
  • Scale access to shared buckets with S3 Access Points
  • Use Access Analyzer to monitor access to buckets
  • Learn what Cross Origin Resource Sharing (CORS) is and how to use it

Intended Audience

This course is intended for anyone who is responsible for securing, designing, and managing Amazon S3, or who simply wants to learn more about security in Amazon S3.


To get the most out of this course, you should have a basic understanding of Amazon S3. It's also recommended that you have a solid understanding of AWS IAM policy syntax and structure.


Hello, and welcome to this short lecture covering Cross Origin Resource Sharing, known as CORS in Amazon S3. At a high level, CORS allows specific resources on a webpage to be requested from a different domain than its own. And this allows you to build client-side web applications. And then if required, you can utilize CORS support to access resources stored in S3.

Let's take a look at how to configure CORS for a bucket which as you might expect involves the use of policies and these policies are embedded in the CORS configuration of the bucket itself which can be found under the Permissions tab.

Let's take a look at an example which has a single rule. The following policy allows you to use PUT, POST, and DELETE from the origin of The AllowedHeaders element of the policy determines which headers are allowed in a preflight request through the Access-Control-Request-Headers header, which is used by browsers to let the server know which HTTP header the client might send when the actual request is made. And in this case, all headers will be allowed to be used in a preflight request.

Using this example, when the bucket receives a preflight request from a browser, S3 will evaluate the policy associated with the bucket for its CORS configuration and will process the first matching rule in the policy. A match is made when the following conditions in the rule are met.

The requestor's Origin header matches an entry made in the AllowedOrigins element. The method used in the request, for example a POST or DELETE operation is matched in the AllowedMethods element. And finally, the headers used within the requests Access-Control-Request-Headers header with a preflight request matches a value in the AllowedHeader element.

The ExposeHeader element in the policy is used to define a header in the response that is allowed to be made by customer applications. For a full reference to the common S3 response headers, take a look at the common response headers in the S3 API Reference Guide found here.

Your CORS policy can contain more than one rule. For example, the following policy contains two rules. The first rule is the same as the one we looked at earlier and the second rule only allows PUT and POST operations following the origin of

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.