By using AWS re:Post, you agree to the Terms of Use

S3 Preflight and IAM


Hello We are in the process of converting our Public buckets to Private buckets. As part of our due diligence we are reviewing our logs for unauthenticated S3 access now that all our code changes are complete.

We are seeing many S3 PREFLIGHT requests (REST.OPTIONS.PREFLIGHT) which I understand are related to the browser validating CORS. I looked at the IAM documentation and I do no see any reference to Preflight which leads me to believe Preflight does NOT require authentication and will work the same whether or not the S3 bucket is Public or Private.

Is that correct? Will making our buckets Private break Preflight?

Thank you!

1 Answers


That's correct. preflight (OPTIONS) does not require authentication and will work the same whether or not the S3 bucket is Public or Private.

Amazon S3 supports cross-origin resource sharing (CORS) by enabling you to add a cors subresource on a bucket. When a browser sends this preflight request, Amazon S3 responds by evaluating the rules that are defined in the cors configuration. If cors is not enabled on the bucket, then Amazon S3 returns a 403 Forbidden response.

If you put CORS policy in the S3 bucket even the bucket is a private, using the example here A browser can send this preflight request to Amazon S3 to determine if it can send an actual request with the specific origin, HTTP method, and headers.

S3 bucket name: mybucket

[ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "PUT", "POST", "DELETE", "GET" ], "AllowedOrigins": [ "" ], "ExposeHeaders": [ "x-amz-server-side-encryption", "x-amz-request-id", "x-amz-id-2" ], "MaxAgeSeconds": 3000 } ]

curl -v -X OPTIONS -H "Access-Control-Request-Method:GET" -H "Origin:"

one will get the < HTTP/1.1 200 OK < Access-Control-Allow-Origin: * < Access-Control-Allow-Methods: PUT, POST, DELETE, GET < Access-Control-Expose-Headers: x-amz-server-side-encryption, x-amz-request-id, x-amz-id-2 < Access-Control-Max-Age: 3000 < Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method < Server: AmazonS3


answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions