I've configured S3 with access only through CloudFront and protected with lambda. The problem is that I'm not able to access the files from SPA because of a failing preflight call. When testing this with Postman GET call returns an object with CORS headers set correctly, but OPTIONS returns 403.
My configuration: S3 CORS
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST",
"DELETE",
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
}
]
CloudFront config
Lambda@Edge
I've also a simple lambda that is checking JWT token included in the request.
lambda config: 
Results:
Postman Get:
Postman Options:
Message: "CORSResponse: This CORS request is not allowed. This is usually because the evalution of Origin, request method / Access-Control-Request-Method or Access-Control-Request-Headers are not whitelisted by the resource's CORS spec."
I've tried many variants of mixing and matching Cache policy, Origin request policy and Response headers policy from different tutorials and other stack overflow posts but nothing seems to help.
I will be very grateful for help since I struggling with fixing this issue for a while, thanks!
The CloudFront setup is correct, the problem should be related to your Lambda@Edge: be aware that it is triggered also when OPTIONS method is called.
It could be that your lambda is trying to validate the JWT token also when it is triggered by OPTIONS API calls and, since JWT token is not included in the request, it returns back a 403 Error.
I suggest you to check CloudWatch logs to verify that and to handle OPTIONS method inside Lambda@Edge performing a passthrough: CORS with preflight headers will be added by the response header policy (you already correctly set).