Using cross-origin resource sharing (CORS)

Using cross-origin resource sharing (CORS)

https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html

Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources.

This section provides an overview of CORS. The subtopics describe how you can enable CORS using the Amazon S3 console, or programmatically by using the Amazon S3 REST API and the AWS SDKs.

Cross-origin resource sharing: Use-case scenarios

The following are example scenarios for using CORS.

Scenario 1 Suppose that you are hosting a website in an Amazon S3 bucket named website as described in Hosting a static website using Amazon S3. Your users load the website endpoint:

http://website.s3-website.us-east-1.amazonaws.com Now you want to use JavaScript on the webpages that are stored in this bucket to be able to make authenticated GET and PUT requests against the same bucket by using the Amazon S3 API endpoint for the bucket, website.s3.us-east-1.amazonaws.com. A browser would normally block JavaScript from allowing those requests, but with CORS you can configure your bucket to explicitly enable cross-origin requests from website.s3-website.us-east-1.amazonaws.com.

Scenario 2 Suppose that you want to host a web font from your S3 bucket. Again, browsers require a CORS check (also called a preflight check) for loading web fonts. You would configure the bucket that is hosting the web font to allow any origin to make these requests.

How does Amazon S3 evaluate the CORS configuration on a bucket?

When Amazon S3 receives a preflight request from a browser, it evaluates the CORS configuration for the bucket and uses the first CORSRule rule that matches the incoming browser request to enable a cross-origin request. For a rule to match, the following conditions must be met:

The Origin header in a CORS request to your bucket must match the origins in the AllowedOrigins element in your CORS configuration.

The HTTP methods that are specified in the Access-Control-Request-Method in a CORS request to your bucket must match the method or methods listed in the AllowedMethods element in your CORS configuration.

The headers listed in the Access-Control-Request-Headers header in a pre-flight request must match the headers in the AllowedHeaders element in your CORS configuration.

Note The ACLs and policies continue to apply when you enable CORS on your bucket.

How Object Lambda Access Point supports CORS

When S3 Object Lambda receives a request from a browser or the request includes an Origin header, S3 Object Lambda always adds an “AllowedOrigins”:”*” header field.

For more information about using CORS, see the following topics.

Topics Elements of a CORS configuration

Configuring cross-origin resource sharing (CORS)

Testing CORS

Troubleshooting CORS

View related pages Abstracts generated by AI

1 2 3

Lightsail › userguide Cross-origin resource sharing (CORS) in Lightsail Configure CORS using AWS CLI to allow cross-origin access to bucket resources for web font hosting from Lightsail bucket 26 January 2026 Lightsail › userguide How Lightsail evaluates CORS configurations Lightsail evaluates CORS configurations, allowing cross-origin requests based on origin, HTTP method, and header allowances, response header access, and caching duration specified in bucket CORS rules. 24 January 2026 AmazonS3 › userguide Elements of a CORS configuration This document explains how to configure CORS for an S3 bucket, specify allowed origins, HTTP methods, headers, and max age for caching, and provides example configurations. 26 February 2025 Discover highly rated pages Abstracts generated by AI

1 2 3 4

AmazonS3 › userguide What is Amazon S3? Amazon S3 offers object storage service with scalability, availability, security, and performance. Manage storage classes, lifecycle policies, access permissions, data transformations, usage metrics, and query tabular data. 24 January 2026 AmazonS3 › userguide General purpose bucket naming rules Bucket naming rules include length, valid characters, formatting, uniqueness. Avoid periods, choose relevant names, include GUIDs. Create buckets with GUIDs using AWS CLI, SDK. 24 January 2026 AmazonS3 › userguide Hosting a static website using Amazon S3 Enabling website hosting on Amazon S3, configuring index and error documents, setting permissions, logging traffic, redirecting webpages, using cross-origin resource sharing. 24 January 2026

On this page Cross-origin resource sharing: Use-case scenarios How does Amazon S3 evaluate the CORS configuration on a bucket? How Object Lambda Access Point supports CORS Related resources Amazon S3 API Reference AWS CLI commands for Amazon S3 SDKs & Tools Recommended tasks How to

Configure cross-origin resource sharing for S3 buckets Test and validate CORS configuration for Amazon S3 buckets Recently added to this guide Did this page help you? Yes No Provide feedback

Next topic:Elements of a CORS configuration Previous topic:Configuring a redirect Get Started AWS Hands-On Tutorials AWS Solutions Library AWS Decision Guides Service Guides Choosing a generative AI service AWS service guides AWS CLI Tutorials on GitHub Developer Tools AWS Code Example Library AWS CLI AWS Builder centre AWS Developer Tools Blog Helpful Links Download the AWS Docs MCP Server Sign into the AWS Console AWS re:Post PrivacySite termsCookie preferences © 2026, Amazon Web Services, Inc. or its affiliates. All rights reserved.