I spent hours trying to enable CORS on AWS Lambda through API gateway (it was supposed to be simple and Amazon had a nice tutorial) but it turns out that there's a known bug that makes Lambda Proxy Integrations not adhere to any setting in the API Gateway, you have to respond with the headers through the Lambda yourself.

Amazon now mentions this in the tutorial, but if you click "Enable CORS" in API Gateway, it'll show you green check marks and tell you that everything went fine, but you'll find that the Lambda does not respond with the CORS headers. They shouldn't even have "Enable CORS" as an option when you use their Lambda Proxy Integration.