AWS Developer API Gateway: Complete Study Guide

Q: What is the difference between REST API and HTTP API in API Gateway?

REST APIs provide full-featured API management with support for advanced features. They include API keys, usage plans, authorizers, request/response transformations, and comprehensive monitoring. They offer maximum flexibility and control but with slightly higher cost and latency. HTTP APIs are lighter-weight, lower-cost alternatives that support core API functionality with better performance and lower latency. They're ideal for simple use cases where advanced features aren't needed. HTTP APIs don't support request/response mapping templates or certain advanced features. However, they're more cost-effective and faster for basic API requirements. Choose REST APIs for complex applications requiring advanced features. Choose HTTP APIs for simpler, high-performance scenarios. For the exam, understand that HTTP APIs represent the newer, more optimized approach when advanced features aren't needed.

Q: How do you implement custom authorization logic in API Gateway?

Lambda authorizers enable custom authorization by using Lambda functions to validate requests and return authorization policies. When a client invokes an API with a Lambda authorizer configured, API Gateway calls your Lambda function with the request context. Your function evaluates the authorization logic, such as validating OAuth tokens or checking database permissions. It then returns an IAM policy that permits or denies access. Lambda authorizers cache results using a configurable TTL to improve performance and reduce Lambda invocations. The exam frequently tests scenarios where you must implement custom logic beyond AWS IAM or Cognito, making Lambda authorizers the correct choice. You should understand how authorizers receive context information, how they return policies, and how caching affects performance.

Q: What are stage variables and when should you use them?

Stage variables are name-value pairs that you define for each stage. They allow you to parameterize API configurations based on the environment without modifying the API definition. You can reference stage variables in resource paths, query parameters, and mapping templates using the syntax `$stageVariables.variableName`. Common uses include specifying different Lambda function names, DynamoDB table names, or backend endpoints for different stages. For example, you might set a stage variable to point to dev-table for your development stage and prod-table for production. This enables you to manage a single API across multiple environments while maintaining environment-specific configurations. The exam tests your understanding of how stage variables enable flexible environment management and when they're more appropriate than duplicating API definitions across stages.

Q: How does API Gateway throttling work and how does it differ from quota limits?

Throttling limits the rate at which clients can call your API, measured in requests per second. API Gateway applies throttling at the account level with a default limit of 10,000 requests per second and a burst limit of 5,000 requests. When throttling is exceeded, API Gateway returns 429 Too Many Requests. Quota limits, implemented through usage plans, represent the total number of requests allowed within a time period for specific API keys or usage plans. Usage plans enable monetization by defining tiers with different rate and quota limits. Stage-level throttling lets you set custom limits for specific stages. Per-client throttling applies limits to individual API keys. Reserved capacity reserves a portion of your throttle limit for critical clients, ensuring they always have access. The exam tests distinguishing between these concepts and understanding how they work together to manage API usage.

Q: What is a mapping template and when would you use it?

Mapping templates use Velocity Template Language (VTL) to transform request and response data in API Gateway. Integration request templates transform client requests before sending them to backend services, enabling header manipulation, body transformation, and data extraction. Integration response templates transform backend responses before returning them to clients. Mapping templates are essential for adapting between client-expected formats and backend service formats. For example, you might extract specific fields from a JSON request body and pass them to a Lambda function. You might also transform a backend response structure into a different format for clients. The exam tests basic template writing, such as extracting values from events and formatting responses. Understanding context variables like `$input.path()`, `$stageVariables`, and `$context` enables you to write effective templates that adapt requests and responses to your requirements.

By FluentFlash Research Team·Updated 2026-04-30

AWS API Gateway is a fully managed service that enables you to create, publish, maintain, monitor, and secure APIs at scale. It acts as the front door for your applications, handling authentication, rate limiting, request transformation, and response mapping.

Understanding API Gateway is essential for the AWS Developer Associate exam and for building serverless applications on AWS. Whether you're building RESTful APIs, WebSocket APIs, or HTTP APIs, this service handles all the complexities of API management.

Structured flashcards help you reinforce declarative configurations, API types, and integration patterns that appear frequently on certification exams. This approach lets you quickly recall features like stages, authorizers, and throttling during exam preparation.

Key Takeaways

•API Gateway is a fully managed service providing REST, HTTP, and WebSocket APIs with built-in authentication, authorization, throttling, and caching.
•REST APIs suit feature-rich applications, HTTP APIs work best for simple high-performance scenarios, and WebSocket APIs enable real-time communication.
•Stages enable environment management with separate configurations, stage variables, logging, and caching for development, testing, and production.
•Lambda authorizers provide custom authorization by validating requests in Lambda functions and returning IAM policies that permit or deny access.
•Velocity Template Language (VTL) mapping templates transform requests and responses, enabling data extraction and adaptation between clients and backends.
•Throttling limits request rates to prevent abuse, while usage plans with quota limits enable monetization and tier-based access control.

Understanding AWS API Gateway Fundamentals

AWS API Gateway is a fully managed service that allows you to create and manage APIs acting as the front door to your applications. It handles traffic management, authorization and access control, monitoring, and API version management without requiring infrastructure setup.

Core Capabilities

The service integrates seamlessly with AWS services like Lambda, DynamoDB, and EC2, making it ideal for serverless architectures. API Gateway automatically scales to handle any level of traffic, eliminating infrastructure management concerns.

When you create an API, you define resources and methods, configure integrations, and set up request and response transformations. Built-in features include request/response validation, CORS handling, and caching to optimize performance.

The Three Main API Types

REST APIs offer full control and feature richness for complex applications. HTTP APIs provide a lighter-weight option with lower latency and cost for simpler scenarios. WebSocket APIs enable real-time communication with two-way persistent connections.

Each API type serves different use cases. The exam frequently tests your understanding of when to use each type.

Monitoring and Pricing

API Gateway provides comprehensive logging, monitoring, and analytics through CloudWatch integration. This allows you to track API performance and diagnose issues effectively.

The service uses a pay-per-use pricing model, charging based on API calls received and data transferred out. This makes it cost-effective for variable workloads.

API Gateway Integration Types and Methods

API Gateway supports multiple integration types that determine how your API processes requests and returns responses. Understanding each type helps you select the right approach for your use case.

Integration Types Available

AWS Service integration: Direct integration with DynamoDB, Lambda, SQS, and SNS
Lambda integration: Triggers Lambda functions containing your business logic (ideal for serverless)
HTTP integration: Routes requests to external HTTP endpoints and third-party APIs
Mock integration: Returns predefined responses for testing and development
HTTP Proxy integration: Automatically forwards requests without explicit mapping

Request and Response Transformations

Integration requests transform client requests before sending them to the backend. This includes header manipulation, query parameter modification, and payload transformation.

Integration responses perform the reverse operation, transforming backend responses before returning them to clients. These transformations use Velocity Template Language (VTL) mapping templates, which allow you to extract data from requests, access context variables, and modify data structures.

The exam tests your ability to write simple mapping templates that extract values, concatenate strings, and format JSON responses.

CORS and Request Validation

API Gateway supports CORS (Cross-Origin Resource Sharing) configuration at the method level. This enables client-side web applications to make requests from different domains.

Request validation is critical for API security. API Gateway can validate requests against JSON schemas defined in your API specification, rejecting invalid requests before they reach your backend.

Authorization, Authentication, and Security in API Gateway

Security is paramount in API development. API Gateway provides multiple mechanisms to control access and authenticate requests based on your specific requirements.

Authorization Mechanisms

AWS IAM authorization: Uses identity and access management policies for service-to-service communication
API Key authorization: Implements simple key-based access control
Lambda authorizers: Enable custom authorization logic in Lambda functions
Amazon Cognito authorizers: Integrate with Cognito user pools and identity pools
Mutual TLS authentication: Uses client certificates for additional security

Lambda authorizers allow you to write custom logic that validates requests and returns authorization policies. This enables flexible authentication mechanisms like OAuth, SAML, or custom token validation. The exam frequently tests scenarios where you must select the appropriate mechanism for specific requirements.

Throttling and Rate Limiting

Throttling prevents abuse and ensures fair usage of your APIs. API Gateway allows you to set throttle limits at the account level, stage level, and per-client basis.

Reserved capacity lets you reserve a portion of your throttle limit for specific clients, ensuring critical applications always have access. You can track throttling events through CloudWatch metrics and set alarms to notify you when throttling occurs.

Usage Plans and Monetization

Usage plans define rate and quota limits, enabling API monetization and tier-based access control. You can associate multiple API keys with a single usage plan to control which clients are subject to those limits.

Request validation prevents malformed requests from reaching your backend by validating headers, request bodies, and query parameters against defined schemas.

API Gateway Stages, Deployment, and Monitoring

Stages represent different environments for your API, such as development, testing, staging, and production. Understanding stages is essential for managing multiple environments from a single API definition.

Working with Stages and Stage Variables

Each stage has its own settings, including stage variables, logging configuration, caching behavior, and throttle settings. Stage variables act as environment-specific parameters that you can reference in your API configuration.

For example, you might use different Lambda function names or DynamoDB table names across stages. This feature eliminates the need to rebuild your API for different environments.

Deployments are snapshots of your API configuration published to stages. When you make changes, you must create a new deployment to apply those changes to a stage.

Canary Deployments

Canary deployments provide a low-risk way to update APIs by gradually shifting traffic from the old version to the new version. This allows you to monitor new versions with a subset of traffic before full rollout.

CloudWatch Integration and Logging

API Gateway integrates with CloudWatch to provide detailed logs about API calls. This includes request parameters, response status codes, and latency information.

Execution logs show the full request/response cycle including authorization checks and integration calls. Access logs provide high-level information about who called your API and what resources they accessed.

Distributed Tracing and Caching

X-Ray integration enables distributed tracing, allowing you to visualize how requests flow through your API to backend services. CloudWatch metrics track API performance metrics like request count, latency, and error rates.

Caching at the stage level improves performance by storing frequently accessed responses. This reduces backend load and latency. Cache TTL (time-to-live) settings determine how long responses are cached, and you can invalidate caches on-demand for testing purposes.

Common API Gateway Patterns and Exam Strategies

Several recurring patterns appear frequently on AWS Developer Associate exams. Mastering these patterns helps you answer scenario-based questions with confidence.

Key Patterns to Study

Request/response transformation: Modify headers, extract data from requests, or format responses using VTL mapping templates
API composition: Aggregate data from multiple backend services through a single API endpoint
Error handling: Configure which HTTP status codes from backend services map to client-facing codes
Request validation: Define JSON schemas and understand validation behavior
API versioning: Use paths, query parameters, or headers with clear understanding of trade-offs

Selecting the Right API Type

REST APIs offer maximum control and features for complex applications. HTTP APIs provide better performance and lower cost for simpler scenarios. WebSocket APIs enable real-time bidirectional communication.

The exam tests your ability to select the appropriate type based on specific requirements.

Exam Focus Areas

Focus on understanding the relationship between resources and methods, how integrations work, and how authorization mechanisms function. Practice scenarios involving selecting appropriate integration types, such as using Lambda for serverless processing or HTTP for external service calls.

Understand throttling behavior, how it differs from quota limits, and how it impacts client applications. Know the difference between method-level and stage-level settings, and understand how stage variables enable environment-specific configurations.

Study Tips for Success

Study authorization scenarios thoroughly, as questions frequently test selecting the right authorization type for different use cases. Practice interpreting CloudWatch metrics and logs to diagnose API issues. Operational troubleshooting scenarios are common on AWS exams.

Start Studying AWS API Gateway

Master API Gateway concepts with interactive flashcards designed for AWS Developer Associate exam success. Our spaced repetition system helps you retain critical knowledge about integrations, authorization, stages, and deployment patterns.

Create Free Flashcards

Frequently Asked Questions

What is the difference between REST API and HTTP API in API Gateway?

REST APIs provide full-featured API management with support for advanced features. They include API keys, usage plans, authorizers, request/response transformations, and comprehensive monitoring. They offer maximum flexibility and control but with slightly higher cost and latency.

HTTP APIs are lighter-weight, lower-cost alternatives that support core API functionality with better performance and lower latency. They're ideal for simple use cases where advanced features aren't needed.

HTTP APIs don't support request/response mapping templates or certain advanced features. However, they're more cost-effective and faster for basic API requirements.

Choose REST APIs for complex applications requiring advanced features. Choose HTTP APIs for simpler, high-performance scenarios. For the exam, understand that HTTP APIs represent the newer, more optimized approach when advanced features aren't needed.

How do you implement custom authorization logic in API Gateway?

Lambda authorizers enable custom authorization by using Lambda functions to validate requests and return authorization policies. When a client invokes an API with a Lambda authorizer configured, API Gateway calls your Lambda function with the request context.

Your function evaluates the authorization logic, such as validating OAuth tokens or checking database permissions. It then returns an IAM policy that permits or denies access.

Lambda authorizers cache results using a configurable TTL to improve performance and reduce Lambda invocations. The exam frequently tests scenarios where you must implement custom logic beyond AWS IAM or Cognito, making Lambda authorizers the correct choice.

You should understand how authorizers receive context information, how they return policies, and how caching affects performance.

What are stage variables and when should you use them?

Stage variables are name-value pairs that you define for each stage. They allow you to parameterize API configurations based on the environment without modifying the API definition.

You can reference stage variables in resource paths, query parameters, and mapping templates using the syntax $stageVariables.variableName. Common uses include specifying different Lambda function names, DynamoDB table names, or backend endpoints for different stages.

For example, you might set a stage variable to point to dev-table for your development stage and prod-table for production. This enables you to manage a single API across multiple environments while maintaining environment-specific configurations.

The exam tests your understanding of how stage variables enable flexible environment management and when they're more appropriate than duplicating API definitions across stages.

How does API Gateway throttling work and how does it differ from quota limits?

Throttling limits the rate at which clients can call your API, measured in requests per second. API Gateway applies throttling at the account level with a default limit of 10,000 requests per second and a burst limit of 5,000 requests.

When throttling is exceeded, API Gateway returns 429 Too Many Requests. Quota limits, implemented through usage plans, represent the total number of requests allowed within a time period for specific API keys or usage plans.

Usage plans enable monetization by defining tiers with different rate and quota limits. Stage-level throttling lets you set custom limits for specific stages. Per-client throttling applies limits to individual API keys.

Reserved capacity reserves a portion of your throttle limit for critical clients, ensuring they always have access. The exam tests distinguishing between these concepts and understanding how they work together to manage API usage.

What is a mapping template and when would you use it?

Mapping templates use Velocity Template Language (VTL) to transform request and response data in API Gateway. Integration request templates transform client requests before sending them to backend services, enabling header manipulation, body transformation, and data extraction.

Integration response templates transform backend responses before returning them to clients. Mapping templates are essential for adapting between client-expected formats and backend service formats.

For example, you might extract specific fields from a JSON request body and pass them to a Lambda function. You might also transform a backend response structure into a different format for clients.

The exam tests basic template writing, such as extracting values from events and formatting responses. Understanding context variables like $input.path(), $stageVariables, and $context enables you to write effective templates that adapt requests and responses to your requirements.