diff --git a/README.md b/README.md
index 24ceb5b..daa54bf 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_acl"></a> [acl](#input\_acl) | Specifies the ACL policy for a bucket | `string` | `"private"` | no |
+| <a name="input_cors_rules"></a> [cors\_rules](#input\_cors\_rules) | A configuration of object CORS rules:<br><br>  * `allowed_origins` - Requests from this origin can access the bucket;<br>  * `allowed_methods` - Specifies the acceptable operation type of buckets and objects;<br>  * `max_age_seconds` - Specifies the duration that your browser can cache CORS responses, expressed in seconds; | <pre>list(object({<br>    allowed_origins = list(string)<br>    allowed_methods = list(string)<br>    max_age_seconds = optional(number, 100)<br>  }))</pre> | `[]` | no |
 | <a name="input_force_destroy"></a> [force\_destroy](#input\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket, so that the bucket can be destroyed without error | `bool` | `false` | no |
 | <a name="input_lifecycle_rules"></a> [lifecycle\_rules](#input\_lifecycle\_rules) | A configuration of object lifecycle management:<br><br>  * `key` - Unique identifier for lifecycle rules, the Rule Name contains a maximum of 255 characters;<br>  * `enabled` - Specifies lifecycle rule status;<br>  * `prefix`  - Object key prefix identifying one or more objects to which the rule applies. If omitted, all objects in<br>    the bucket will be managed by the lifecycle rule;<br>  * `expiration_days` - Specifies the number of days when objects that have been last updated are automatically deleted. | <pre>map(object({<br>    enabled         = optional(bool, true)<br>    prefix          = optional(string, null)<br>    expiration_days = number<br>  }))</pre> | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | Specifies the name of the Object Store | `string` | n/a | yes |
diff --git a/main.tf b/main.tf
index 630011b..ac15cc1 100644
--- a/main.tf
+++ b/main.tf
@@ -24,5 +24,14 @@ resource "huaweicloud_obs_bucket" "main" {
     }
   }
 
+  dynamic "cors_rule" {
+    for_each = var.cors_rules
+    content {
+      allowed_methods = cors_rule.value.allowed_methods
+      allowed_origins = cors_rule.value.allowed_origins
+      max_age_seconds = cors_rule.value.max_age_seconds
+    }
+  }
+
   tags = var.tags
 }
diff --git a/variables.tf b/variables.tf
index 1c00393..69cf41e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -81,6 +81,31 @@ DES
   default = {}
 }
 
+variable "cors_rules" {
+  description = <<DES
+  A configuration of object CORS rules:
+
+  * `allowed_origins` - Requests from this origin can access the bucket;
+  * `allowed_methods` - Specifies the acceptable operation type of buckets and objects;
+  * `max_age_seconds` - Specifies the duration that your browser can cache CORS responses, expressed in seconds;
+DES
+  type = list(object({
+    allowed_origins = list(string)
+    allowed_methods = list(string)
+    max_age_seconds = optional(number, 100)
+  }))
+  default = []
+  validation {
+    condition = alltrue(flatten([
+      for rule in var.cors_rules : [
+        for method in rule.allowed_methods :
+        contains(["GET", "PUT", "POST", "DELETE", "HEAD"], method)
+      ]
+    ]))
+    error_message = "Each method in allowed_methods should be one of: 'GET', 'PUT', 'POST', 'DELETE', 'HEAD'."
+  }
+}
+
 variable "tags" {
   description = "Specifies the key/value pairs to associate with the OBS"
   type        = map(string)