Which solution is MOST effective?
Configure an AWS WAF ACL with rate-based rules. Create an Amazon CloudFront distribution that points to the Application Load Balancer. Enable the WAF ACL on the CloudFront distribution.
Create a custom AWS Lambda function that adds identified attacks into a common vulnerability pool to capture a potential DDoS attack. Use the identified information to modify a network ACL to block access.
Enable VPC Flow Logs and store then in Amazon S3. Create a custom AWS Lambda functions that parses the logs looking for a DDoS attack. Modify a network ACL to block identified source IP addresses.
Enable Amazon GuardDuty and configure findings written to Amazon CloudWatch. Create an event with CloudWatch Events for DDoS alerts that triggers Amazon Simple Notification Service (Amazon SNS). Have Amazon SNS invoke a custom AWS Lambda function that parses the logs, looking for a DDoS attack. Modify a network ACL to block identified source IP addresses.
Explanations:
This option effectively utilizes AWS WAF to create rate-based rules, which can help mitigate DDoS attacks by limiting the number of requests from a specific IP address. Additionally, using Amazon CloudFront as a CDN in front of the Application Load Balancer provides caching and further shields the backend from direct traffic, enhancing security.
While a custom AWS Lambda function could potentially identify attacks, this option lacks immediate preventive measures. Simply capturing information about attacks does not actively mitigate them, making it less effective for minimizing DDoS impact.
Enabling VPC Flow Logs and creating a Lambda function to analyze them may help in identifying DDoS attacks, but it is reactive rather than proactive. Modifying a network ACL post-attack does not prevent the attack or minimize impact effectively.
Although enabling Amazon GuardDuty can provide insights into potential threats, the process described is still reactive. Modifying a network ACL after detecting an attack does not provide immediate mitigation. The solution lacks proactive measures like rate limiting or preemptive blocking of traffic.