diff --git a/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.js b/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.js
index 7f90c3134..294a7b644 100644
--- a/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.js
+++ b/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.js
@@ -30,9 +30,13 @@ module.exports = {
         'Access-Control-Allow-Origin': `'${origin}'`,
         'Access-Control-Allow-Headers': `'${config.headers.join(',')}'`,
         'Access-Control-Allow-Methods': `'${config.methods.join(',')}'`,
-        'Access-Control-Allow-Credentials': `'${config.allowCredentials}'`,
       };
 
+      // Only set Access-Control-Allow-Credentials when explicitly allowed (omit if false)
+      if(config.allowCredentials === true) {
+        preflightHeaders['Access-Control-Allow-Credentials'] = `'${config.allowCredentials}'`;
+      }
+
       // Enable CORS Max Age usage if set
       if (_.has(config, 'maxAge')) {
         if (_.isInteger(config.maxAge) && config.maxAge > 0) {
diff --git a/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.test.js b/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.test.js
index 4415a817e..849991779 100644
--- a/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.test.js
+++ b/lib/plugins/aws/package/compile/events/apiGateway/lib/cors.test.js
@@ -157,7 +157,7 @@ describe('#compileCors()', () => {
         awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources
           .ApiGatewayMethodUsersUpdateOptions.Properties.Integration.IntegrationResponses[0]
           .ResponseParameters['method.response.header.Access-Control-Allow-Credentials']
-      ).to.equal("'false'");
+      ).to.equal(undefined);
 
       expect(
         awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources
@@ -194,7 +194,7 @@ describe('#compileCors()', () => {
         awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources
           .ApiGatewayMethodUsersDeleteOptions.Properties.Integration.IntegrationResponses[0]
           .ResponseParameters['method.response.header.Access-Control-Allow-Credentials']
-      ).to.equal("'false'");
+      ).to.equal(undefined);
 
       expect(
         awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources
@@ -233,7 +233,7 @@ describe('#compileCors()', () => {
         awsCompileApigEvents.serverless.service.provider.compiledCloudFormationTemplate.Resources
           .ApiGatewayMethodUsersAnyOptions.Properties.Integration.IntegrationResponses[0]
           .ResponseParameters['method.response.header.Access-Control-Allow-Credentials']
-      ).to.equal("'false'");
+      ).to.equal(undefined);
     });
   });
 
diff --git a/tests/integration-all/api-gateway/tests.js b/tests/integration-all/api-gateway/tests.js
index c51982321..adf302225 100644
--- a/tests/integration-all/api-gateway/tests.js
+++ b/tests/integration-all/api-gateway/tests.js
@@ -117,7 +117,7 @@ describe('AWS - API Gateway Integration Test', function() {
         ].join(',');
         expect(headers.get('access-control-allow-headers')).to.equal(allowHeaders);
         expect(headers.get('access-control-allow-methods')).to.equal('OPTIONS,GET');
-        expect(headers.get('access-control-allow-credentials')).to.equal('false');
+        expect(headers.get('access-control-allow-credentials')).to.equal(null);
         // TODO: for some reason this test fails for now...
         // expect(headers.get('access-control-allow-origin')).to.equal('*');
       });