API Key enabled, but requests without key still running

Question

In my API Gateway console, I did the following:

• Created an API key
• Associated the key with a deployed API stage
• Checked the key's "Enabled" checkbox
• For each method of each resource of my API, required the API key for authentication

I expected curl https://my-api-gateway-url/my-resource to 403, since I didn't include the x-api-key header, but it was a 200 instead. My Lambda function behind API Gateway ended up running when it shouldn't have run without the API key.

How can I ensure the key is required to authenticate all requests?

EDIT: I was following the documentation here: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-api-keys.html

Answer 1

Just answered my own question. Posting my answer here as I know I'm not the only one wondering about this, like this person.

The answer is to redeploy your API. Although redeploying sounds obvious, the docs completely skip the vital last step, so it's easy to overlook.