问题:

I'm trying to apply a CORS policy to my S3 bucket, and what I am observing is that, if at any point of time, I modify the CORS policy, the older files that were uploaded to S3 still do not use the new CORS policy. For e.g.

1. I created a S3 bucket "X"

2. Added the following CORS policy -

   <CORSConfiguration>
   <CORSRule>
       <AllowedOrigin>https://app1.example.com</AllowedOrigin>
       <AllowedMethod>POST</AllowedMethod>
       <AllowedMethod>GET</AllowedMethod>
       <AllowedMethod>DELETE</AllowedMethod>
       <ExposeHeader>ETag</ExposeHeader>
       <ExposeHeader>x-amz-meta-custom-header</ExposeHeader>
       <AllowedHeader>*</AllowedHeader>
   </CORSRule>
   </CORSConfiguration>
   

3. Successfully uploaded a file a.jpeg from my application that is hosted on https://app1.example.com. I was also able to do a GET and a DELETE.

4. Now I need to use the same S3 bucket for another one of my hosted apps, say app2. So I modified the CORS policy to -

   <CORSConfiguration>
   <CORSRule>
       <AllowedOrigin>https://app1.example.com</AllowedOrigin>
       <AllowedMethod>POST</AllowedMethod>
       <AllowedMethod>GET</AllowedMethod>
       <AllowedMethod>DELETE</AllowedMethod>
       <ExposeHeader>ETag</ExposeHeader>
       <ExposeHeader>x-amz-meta-custom-header</ExposeHeader>
       <AllowedHeader>*</AllowedHeader>
   </CORSRule>
   <CORSRule>
       <AllowedOrigin>https://app2.example.com</AllowedOrigin>
       <AllowedMethod>POST</AllowedMethod>
       <AllowedMethod>GET</AllowedMethod>
       <AllowedMethod>DELETE</AllowedMethod>
       <ExposeHeader>ETag</ExposeHeader>
       <ExposeHeader>x-amz-meta-custom-header</ExposeHeader>
       <AllowedHeader>*</AllowedHeader>
   </CORSRule>
   </CORSConfiguration>
   

5. Now when I try to GET the file a.jpeg from https://app2.example.com, I still see the below error

   XMLHttpRequest cannot load <S3 URL>. Origin https://app2.mydomain.com is not allowed by Access-Control-Allow-Origin.
   

6. However if I try to upload a new file b.jpeg from https://app2.mydomain.com, everything works as expected.

EDIT

I forgot to mention this earlier, but we have a CloudFront CDN in front of our S3 bucket, but I cannot find any config related to setting CORS policy in the Cloudfront config.

Is there a way by which we can enforce the new CORS policy on previously uploaded files as well? Or is there some other way to make this work?