Following is the CORS configuration that goes under Bucket > Permissions
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
The API key ID and SECRET pair MUST NOT be made accessible to front-end applications - neither web-based apps (React.JS/Vue etc) nor mobile apps (React Native, Swift/Java etc).
The secret keys MUST stay at the server end only, and should be used by client-end (front-end) apps (web/mobile) to get signed/pre-signed URLs to access or save files to S3 - but never store the API keys