Which actions should the solutions architect take to protect the website from such an attack?

Explanations:

AWS Shield Advanced provides enhanced DDoS protection and is specifically designed to mitigate large-scale attacks, offering protection for AWS resources such as EC2 instances. It continuously monitors traffic and can automatically respond to DDoS threats, ensuring high availability for the website.

Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior. While it can identify threats, it does not automatically block IP addresses. GuardDuty findings would need to be acted upon manually or integrated with other services to enforce block actions.

Configuring the website to use Amazon CloudFront can help mitigate DDoS attacks by distributing traffic across a network of edge locations, which can absorb and reduce the impact of the attack. CloudFront also provides caching and can serve static content, which further alleviates load on the origin servers.

While an AWS Lambda function could theoretically be used to add attacker IP addresses to VPC network ACLs, this method is not efficient for mitigating DDoS attacks that originate from thousands of IP addresses. Additionally, managing IP addresses dynamically in this way can lead to high latency and complexity.

Using EC2 Spot Instances in an Auto Scaling group can help handle variable traffic loads, but it does not provide protection against DDoS attacks. Spot Instances are more susceptible to interruption and may not ensure high availability during an ongoing attack. The focus should be on protective measures rather than just scaling resources.