Which solution will meet these requirements?
Enable AWS Config. Configure an AWS Config managed rule that detects DDoS attacks.
Enable AWS WAF on the ALCreate an AWS WAF web ACL with rules to detect and prevent DDoS attacks. Associate the web ACL with the ALB.
Store the ALB access logs in an Amazon S3 bucket. Configure Amazon GuardDuty to detect and take automated preventative actions for DDoS attacks.
Subscribe to AWS Shield Advanced. Configure hosted zones in Route 53. Add ALB resources as protected resources.
Explanations:
AWS Config is a service for resource configuration management and compliance tracking. It does not actively monitor or detect DDoS attacks. Instead, it focuses on auditing and compliance of AWS resource configurations.
While AWS WAF can help mitigate certain types of DDoS attacks by setting rules to block specific traffic patterns, it is not a proactive managed solution specifically designed for DDoS detection and response. It works best in conjunction with AWS Shield for comprehensive DDoS protection.
Amazon GuardDuty is a threat detection service that analyzes activity and detects potential threats, but it does not specifically handle DDoS attacks or provide proactive engagement for them. Storing ALB access logs in S3 is useful for analysis but does not address DDoS prevention.
AWS Shield Advanced provides enhanced DDoS protection and proactive engagement, including 24/7 access to the AWS DDoS Response Team (DRT). By subscribing to AWS Shield Advanced and configuring Route 53 hosted zones and protecting ALB resources, the company gains managed DDoS protection tailored to their architecture.