Amazon S3 - Accessing Presigned URLs

Question

I have generated a presigned s3 url. When trying to access it from the JS code, I am getting error "No 'Access-Control-Allow-Origin' header is present on the requested resource" and my bucket cors configuration was

<CORSConfiguration>
  <CORSRule>
   <AllowedOrigin>*</AllowedOrigin>
   <AllowedMethod>GET</AllowedMethod>
   <MaxAgeSeconds>3000</MaxAgeSeconds>
   <AllowedHeader>Authorization</AllowedHeader>
  </CORSRule>
</CORSConfiguration>

Based on few resources I have found online like - CORS. Presigned URL. S3 etc I have changed the cors configuration to

    <CORSConfiguration>
      <CORSRule>
       <AllowedOrigin>*</AllowedOrigin>
       <AllowedMethod>GET</AllowedMethod>
       <MaxAgeSeconds>3000</MaxAgeSeconds>
       <AllowedHeader>*</AllowedHeader>
      </CORSRule>
    </CORSConfiguration>

and it worked and I am able to access the url through the js code. But I am trying to understand if there are any security implications for changing this tag from Authorization to *.

Please let me know.

Answer 1

This will depend on how you plan to use the pre-signed url.

• If it is going to be used by a web application/server to access an s3 resource temporarily, the CORS AllowedOrigin should be restricted to the domain of the application that will be requesting the resource. Generally, this CORS configuration (Access-Control-Allow-Origin) has the greatest security impact. See this or this.

  You can limit it with a wildcard or specific domain:

  <AllowedOrigin>https://*.mydomain.s3.amazonaws.com</AllowedOrigin>
  

• If it will be requested by multiple clients (i.e an end user web browser), then you have no option but to set <AllowedOrigin>*<AllowedOrigin>, so this will not be the recommended approach.

If you have restricted access to only allow domains you trust, then the security implications of setting the AllowedHeaders to * is minimal.