Which actions should the solutions architect take to protect the website from such an attack?
(Choose two.)
Use AWS Shield Advanced to stop the DDoS attack.
Configure Amazon GuardDuty to automatically block the attackers.
Configure the website to use Amazon CloudFront for both static and dynamic content.
Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization.
Explanations:
AWS Shield Advanced provides DDoS protection specifically designed to mitigate large-scale attacks. It offers real-time attack visibility and automatically applies protections to prevent downtime, making it an effective solution for maintaining website availability during a DDoS attack.
Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior but does not automatically block IP addresses. While it can provide insights into potential threats, additional actions are required to block attackers.
Configuring Amazon CloudFront, a Content Delivery Network (CDN), helps absorb DDoS traffic by distributing it across its edge locations. This reduces the load on the origin servers and can serve cached content quickly, thus improving availability during an attack.
While using an AWS Lambda function to block attacker IPs in VPC network ACLs could be a reactive measure, it may not be timely enough to respond to large-scale attacks and may not be effective against all types of DDoS attacks. Also, manually managing IP blocking is not scalable in such scenarios.
Using EC2 Spot Instances in an Auto Scaling group is not a viable strategy for DDoS mitigation. Spot Instances can be terminated by AWS with little notice, leading to potential downtime. Furthermore, scaling based on CPU utilization does not directly address the issue of a DDoS attack, which may not correlate with CPU usage.