nerdexam
Amazon

DVA-C02 · Question #397

A company maintains a REST service using Amazon API Gateway and the API Gateway native API key validation. The company recently launched a new registration page, which allows users to sign up for the

The correct answer is D. The createUsagePlanKey method must be called to associate the newly created API key with the. In Amazon API Gateway, creating an API key with CreateApiKey alone is not sufficient - the key must also be associated with a usage plan via createUsagePlanKey before it can authenticate requests. Without this association, the API Gateway rejects the key with a 403, which is exac

Submitted by yuki_2020· Mar 5, 2026Development with AWS Services

Question

A company maintains a REST service using Amazon API Gateway and the API Gateway native API key validation. The company recently launched a new registration page, which allows users to sign up for the service. The registration page creates a new API key using CreateApiKey and sends the new key to the user. When the user attempts to call the API using this key, the user receives a 403 Forbidden error. Existing users are unaffected and can still call the API. What code updates will grant these new users access to the API?

Options

  • AThe createDeployment method must be called so the API can be redeployed to include the newly
  • BThe updateAuthorizer method must be called to update the API's authorizer to include the newly
  • CThe importApiKeys method must be called to import all newly created API keys into the current
  • DThe createUsagePlanKey method must be called to associate the newly created API key with the

How the community answered

(21 responses)
  • A
    5% (1)
  • B
    10% (2)
  • C
    5% (1)
  • D
    81% (17)

Explanation

In Amazon API Gateway, creating an API key with CreateApiKey alone is not sufficient - the key must also be associated with a usage plan via createUsagePlanKey before it can authenticate requests. Without this association, the API Gateway rejects the key with a 403, which is exactly the symptom described.

Why the distractors are wrong:

  • A is wrong because redeployment (createDeployment) is needed when API configuration changes, not when adding API keys - keys are independent of deployments.
  • B is wrong because updateAuthorizer deals with custom Lambda or Cognito authorizers, not native API key validation, which uses usage plans instead.
  • C is wrong because importApiKeys is a bulk import tool for migrating keys from external sources, not for activating newly created keys in the same account.

Memory tip: Think of it as a two-step lock: CreateApiKey cuts the key, but createUsagePlanKey is what puts it on the keyring - without the keyring, the key opens nothing.

Topics

#API Gateway#API Keys#Usage Plans#Access Control

Community Discussion

No community discussion yet for this question.

Full DVA-C02 Practice