diff --git a/localstack/services/s3/s3_listener.py b/localstack/services/s3/s3_listener.py
index 66ee71b8df197..fa6c2298b6275 100644
--- a/localstack/services/s3/s3_listener.py
+++ b/localstack/services/s3/s3_listener.py
@@ -24,6 +24,8 @@
 from localstack.aws.api import CommonServiceException
 from localstack.config import get_protocol as get_service_protocol
 from localstack.services.generic_proxy import ProxyListener
+from localstack.services.generic_proxy import append_cors_headers as _append_default_cors_headers
+from localstack.services.generic_proxy import is_cors_origin_allowed
 from localstack.services.s3 import multipart_content
 from localstack.services.s3.s3_utils import (
     ALLOWED_HEADER_OVERRIDES,
@@ -597,17 +599,21 @@ def append_cors_headers(
     if request_method == "OPTIONS" and "Access-Control-Request-Method" in request_headers:
         request_method = request_headers["Access-Control-Request-Method"]
 
+    # Strip all CORS headers (moto return allow-all by default)
+    for header in CORS_HEADERS:
+        if header in response.headers:
+            del response.headers[header]
+
     # Checking CORS is allowed or not
     try:
         cors = BackendState.cors_config(bucket_name)
         assert cors
     except Exception:
-        return
 
-    # Cleaning headers
-    for header in CORS_HEADERS:
-        if header in response.headers:
-            del response.headers[header]
+        # add default LocalStack CORS if the bucket is not configured and the origin is allowed
+        if is_cors_origin_allowed(request_headers):
+            _append_default_cors_headers(request_headers=request_headers, response=response)
+        return
 
     # Fetching origin of the request
     origin = get_origin_host(request_headers)