S3 Preflight and IAM

Hello

That's correct. preflight (OPTIONS) does not require authentication and will work the same whether or not the S3 bucket is Public or Private.

Amazon S3 supports cross-origin resource sharing (CORS) by enabling you to add a cors subresource on a bucket. When a browser sends this preflight request, Amazon S3 responds by evaluating the rules that are defined in the cors configuration. If cors is not enabled on the bucket, then Amazon S3 returns a 403 Forbidden response. https://docs.aws.amazon.com/AmazonS3/latest/API/RESTOPTIONSobject.html

If you put CORS policy in the S3 bucket even the bucket is a private, using the example here https://docs.aws.amazon.com/AmazonS3/latest/userguide/ManageCorsUsing.html A browser can send this preflight request to Amazon S3 to determine if it can send an actual request with the specific origin, HTTP method, and headers.

S3 bucket name: mybucket

[ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "PUT", "POST", "DELETE", "GET" ], "AllowedOrigins": [ "http://www.example.com" ], "ExposeHeaders": [ "x-amz-server-side-encryption", "x-amz-request-id", "x-amz-id-2" ], "MaxAgeSeconds": 3000 } ]

curl -v https://mybucket.region.amazonaws.com/example.txt -X OPTIONS -H "Access-Control-Request-Method:GET" -H "Origin:http://www.example.com"

one will get the < HTTP/1.1 200 OK < Access-Control-Allow-Origin: * < Access-Control-Allow-Methods: PUT, POST, DELETE, GET < Access-Control-Expose-Headers: x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2 < Access-Control-Max-Age: 3000 < Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method < Server: AmazonS3

Regards!