Hi Joe,
Removing the header and then immediately adding it back was the only changed that I made to the policy. Without those two assertions in place I end up receiving the same error message that I was seeing before only in IE 11:
Request header api-key was not present in the Access-Control-Allow-Headers list
Access is denied
What is odd is that the request header is present in the Access-Control-Allow-Headers list even without these two assertions in place. I haven't had a chance to use wireshark or another proxy to see in more detail what the API Gateway is sending back to the client using IE 11 but using the network tab in IE's dev tools I can see that the correct Access-Control-Allow-Headers key/value is being sent in the request from the client and then included in the response from the gateway.
However, without these assertions it still works fine in Chrome and Firefox by just using the Process CORs assertion using the settings that I documented above. IE 11 is the only browser that I run into this issue with.