Question #940
A company uses Amazon API Gateway with native API key validation for its REST API. A new onboarding system generates API keys via CreateApiKey and distributes them to users. However, newly onboarded users receive a 403 Forbidden error when invoking the API, while existing users continue to function normally.
What code modification is required to resolve this issue for new users?
Invoke the createDeployment method to redeploy the API and activate the new API keys.
Call the updateAuthorizer method to refresh the API's authorizer with the latest API keys.
Use the importApiKeys method to bulk import new API keys into the API's active stage.
Execute the createUsagePlanKey method to link the new API key to the appropriate usage plan.
Explanation
Answer D is correct because AWS API Gateway requires API keys to be associated with a usage plan to grant access to the API. Creating an API key (via CreateApiKey) does not automatically link it to a usage plan. Without this linkage, API Gateway rejects requests with a 403 Forbidden error. The createUsagePlanKey method explicitly connects the new API key to the appropriate usage plan, enabling validation.
Other options are incorrect:
- A: Redeploying the API (createDeployment) does not activate new keys; deployment applies API configuration changes, not key associations.
- B: updateAuthorizer refers to custom authorizers (e.g., Lambda/Cognito), not native API key validation.
- C: importApiKeys is for bulk imports and unrelated to linking keys to usage plans.
Key Takeaway: API keys must be both created and linked to a usage plan to work with API Gateway's native key validation.
Answer
The correct answer is: D