CloudFormation doesn't configure CORS on S3 bucket

[Sauraus]

Access to fetch at 'https://xxxxxxxxxx.cloudfront.net/api/settings' from origin 'https://statuspage-adminpages3-xxxxxxxxxx.s3.us-east-2.amazonaws.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Google Chrome 76 additionally gives the following error:
app.f59f09737709f6fb9b09.js:9 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://d1nr3v26vodwhc.cloudfront.net/api/settings with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

[ks888]

The access to https://xxxxxxxxxx.cloudfront.net/api/settings should be handled by the API gateway. Not S3. It looks like the setting of CloudFront is strange. Can you share the Behaviors part of your CloudFront distribution?