šŸŒ AWS S3 CORS: Allowing Your Website to Talk to S3

Ruchika GurbaxaniRuchika Gurbaxani
2 min read

One of my ā€œaha!ā€ moments with AWS was when I hosted a static website on S3. Everything looked greatā€”until my browser blocked requests to my S3 bucket. The error? CORS policy issue.

Letā€™s demystify CORS and see how to fix it in S3.

šŸ”Ž What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security feature. It prevents a website on one domain from freely accessing resources on another domain.

Example:

  • Your website is hosted on mywebsite.com.

  • Your assets (images, JSON, fonts) are stored in an S3 bucket.

  • Without CORS, the browser blocks access.

šŸ› ļø Setting Up CORS on S3

Hereā€™s how to configure it:

  1. Go to your S3 bucket ā†’ Permissions tab.

  2. Scroll to Cross-origin resource sharing (CORS).

  3. Add a configuration like this:

[
  {
    "AllowedHeaders": ["*"],
    "AllowedMethods": ["GET", "POST"],
    "AllowedOrigins": ["*"],
    "ExposeHeaders": []
  }
]

This example allows all origins to read from your bucket. For production, replace "*" with your specific domain (e.g., "https://mywebsite.com").

āœ… Best Practices

  • Donā€™t keep "*" in productionā€”itā€™s too open.

  • Restrict methods to only what you need (e.g., GET for images).

  • Use HTTPS origins for security.

šŸ Conclusion

CORS might look intimidating at first, but itā€™s simply about telling browsers: ā€œHey, itā€™s okay for this website to fetch data from my bucket.ā€

So the next time you face that scary red CORS error, just remember: all it takes is a small JSON config in your S3 bucket!

1
Subscribe to my newsletter

Read articles from Ruchika Gurbaxani directly inside your inbox. Subscribe to the newsletter, and don't miss out.

CloudCloud ComputingAWSaws lambdaAWS Certified Solutions Architect Associateaws-cdkAWS Amplifynetworking

Written by

Ruchika Gurbaxani
Ruchika Gurbaxani

AWS Cloud Enthusiast | Cybersecurity Aware Cloud-savvy and security-conscious, I'm a tech enthusiast with a strong foundation in Python, C, Networking, and Cloud Computing. Currently preparing for AWS certifications, Iā€™ve completed the Mastercard Cybersecurity Virtual Experience and hold the ZTCA (Zscaler Zero Trust Certified Associate) certification. My projects reflect a passion for secure, scalable cloud solutionsā€”notably SilentWhisper, an anonymous communication app. Recognized for achievements in NASAā€™s Scientist for a Day, Smart India Hackathon, and creative competitions like painting at Raman Science Center. I'm also active on LeetCode, HackerRank, and GitHub, where I regularly enhance my problem-solving and development skills.