What should a solutions architect recommend?
Deploy Amazon Inspector and associate it with the ALB.
Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
Deploy rules to the network ACLs associated with the ALB to block the incoming traffic.
Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.
Explanations:
Amazon Inspector is a security assessment service for identifying vulnerabilities in applications, but it does not provide real-time protection against DDoS or malicious traffic. It is not designed to block illegitimate requests or provide rate-limiting.
AWS WAF (Web Application Firewall) can be associated with the ALB to protect against malicious traffic. Configuring a rate-limiting rule in AWS WAF allows blocking high-frequency requests from illegitimate sources, which addresses the DDoS-like behavior and minimizes impact on legitimate users.
Network ACLs are designed for network-level security and provide basic filtering, but they are not suitable for advanced application-layer protection such as rate limiting or blocking malicious traffic based on specific behaviors. It would be difficult to manage dynamic IP changes or detailed application rules in network ACLs.
Amazon GuardDuty is a threat detection service that identifies unusual or suspicious activity. While it provides security insights, it does not offer a direct mechanism for blocking DDoS or rate-limiting traffic. GuardDuty can alert on malicious activity, but it cannot automatically block traffic like AWS WAF.
I figure that the answer is:
Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.