0
0
AWScloud~20 mins

CORS configuration in AWS - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
CORS Mastery Badge
Get all challenges correct to earn this badge!
Test your skills under time pressure!
service_behavior
intermediate
2:00remaining
Understanding CORS behavior in AWS S3

You have an AWS S3 bucket with the following CORS configuration:

{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://example.com"],
      "AllowedMethods": ["GET", "POST"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}

What will happen if a web page hosted on https://anotherdomain.com tries to make a GET request to this bucket?

AThe request will be redirected to https://example.com automatically.
BThe request will succeed because GET is allowed for all origins.
CThe request will succeed but only if the request includes credentials.
DThe request will be blocked by the browser due to CORS policy.
Attempts:
2 left
💡 Hint

Check which origins are allowed in the CORS configuration.

Configuration
intermediate
2:00remaining
Correct CORS configuration for multiple methods

You want to configure an AWS S3 bucket to allow cross-origin requests from https://myapp.com for GET, PUT, and DELETE methods. Which CORS configuration below is correct?

A
{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://myapp.com"],
      "AllowedMethods": ["GET", "PUT", "DELETE", "POST"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
B
{
  "CORSRules": [
    {
      "AllowedOrigins": ["*"],
      "AllowedMethods": ["GET", "PUT", "DELETE"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
C
{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://myapp.com"],
      "AllowedMethods": ["GET", "PUT", "DELETE"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
D
{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://myapp.com"],
      "AllowedMethods": ["GET", "POST"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
Attempts:
2 left
💡 Hint

Only include the methods you want to allow.

security
advanced
2:00remaining
Security risk in overly permissive CORS

An AWS S3 bucket has this CORS configuration:

{
  "CORSRules": [
    {
      "AllowedOrigins": ["*"],
      "AllowedMethods": ["GET", "PUT", "POST", "DELETE"],
      "AllowedHeaders": ["*"],
      "ExposeHeaders": ["ETag"],
      "MaxAgeSeconds": 3000
    }
  ]
}

What is the main security risk of this configuration?

AOnly websites from the same domain can access the bucket.
BAny website can read and modify the bucket contents via cross-origin requests.
CThe bucket will reject all cross-origin requests due to wildcard origin.
DThe bucket will only allow GET requests from any origin.
Attempts:
2 left
💡 Hint

Think about what allowing all origins and methods means.

Architecture
advanced
2:00remaining
Designing CORS for a multi-region web app

You have a web app hosted in two regions: https://us.example.com and https://eu.example.com. Both need to access the same AWS S3 bucket. How should you configure CORS to allow both origins?

A
{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://us.example.com", "https://eu.example.com"],
      "AllowedMethods": ["GET"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
B
{
  "CORSRules": [
    {
      "AllowedOrigins": ["*"],
      "AllowedMethods": ["GET"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
C
{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://us.example.com"],
      "AllowedMethods": ["GET", "POST"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
D
{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://us.example.com"],
      "AllowedMethods": ["GET"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    },
    {
      "AllowedOrigins": ["https://eu.example.com"],
      "AllowedMethods": ["GET"],
      "AllowedHeaders": ["*"],
      "MaxAgeSeconds": 3000
    }
  ]
}
Attempts:
2 left
💡 Hint

You can list multiple origins in the AllowedOrigins array of a single CORS rule.

Best Practice
expert
2:00remaining
Optimizing CORS configuration for performance and security

You want to optimize your AWS S3 bucket's CORS configuration to reduce preflight requests and improve security. Which configuration change best achieves this?

ASet AllowedOrigins to specific trusted domains, AllowedMethods to only needed methods, and increase MaxAgeSeconds.
BSet AllowedOrigins to '*', AllowedMethods to all methods, and MaxAgeSeconds to 0.
CRemove AllowedHeaders to allow any headers and set MaxAgeSeconds to 60.
DSet AllowedOrigins to specific domains and AllowedMethods to only GET, but set MaxAgeSeconds to 0.
Attempts:
2 left
💡 Hint

Think about reducing preflight frequency and limiting access.