CloudFormation adds `AWS::S3::Bucket CorsRule` optional properties when not specified

[garysassano]

Name of the resource

AWS::S3::Bucket

Resource Name

No response

Issue Description

Adding the following CORS Policy from the S3 AWS Console is valid:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD",
            "POST"
        ],
        "AllowedOrigins": [
            "*"
        ]
    }
]

Yet, if you try to apply the exact same configuration through CloudFormation:

S3Bucket:
  Type: AWS::S3::Bucket
  DeletionPolicy: Retain
  UpdateReplacePolicy: Retain
  Properties:
    BucketName: "MyBucket"
    CorsConfiguration:
      CorsRules:
        - AllowedHeaders:
            - "*"
          AllowedMethods:
            - GET
            - HEAD
            - POST
          AllowedOrigins:
            - "*"

This is what you would end up with:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "HEAD",
            "POST"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 0
    }
]

Expected Behavior

I expected CloudFormation to honor the provided configuration, without adding any extra properties that are optional.

Observed Behavior

CloudFormation reserved the right to automatically append additional properties to your S3 CORS policy, despite them being optional.

Although the inclusion of "ExposeHeaders": [] might be considered harmless, the same cannot be said for "MaxAgeSeconds": 0. This setting prevents the browser from caching, as opposed to when the property is not specified, allowing the browser to default to its standard caching period.

Test Cases

See above.

Other Details

No response

[nmeisen]

Don't forget to add the ticket to the project! or else the bot can't pick it up ! (added it for you)