What should a solutions architect recommend?
Deploy Amazon Inspector and associate it with the ALB.
Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
Deploy rules to the network ACLs associated with the ALB to block the incomingtraffic.
Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.
Explanations:
Amazon Inspector is primarily used for assessing the security of applications and does not provide real-time protection or blocking capabilities against incoming requests. It is not designed to mitigate DDoS attacks or filter illegitimate traffic at the ALB level.
AWS WAF (Web Application Firewall) can be deployed and associated with the ALB to provide protection against DDoS attacks and other unwanted traffic. By configuring a rate-limiting rule, it can effectively block requests from illegitimate sources while allowing legitimate users to access the site without significant impact.
Network ACLs operate at the subnet level and are not as granular as AWS WAF for filtering HTTP(S) traffic. While they can block traffic based on IP addresses, they do not provide capabilities like rate limiting or inspecting application-layer requests, which are essential for dealing with sophisticated DDoS attacks.
Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior but does not provide direct rate-limiting protection or request filtering. It can identify potential security threats, but it cannot actively block illegitimate incoming requests like AWS WAF can.
As I understand it, the answer is:
Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.