Which solution meets these requirements?

Explanations:

Enabling an AWS WAF web ACL on the ALB and configuring rules to block traffic from unknown sources can help with filtering malicious traffic, but it may not provide a complete audit trail or a fully automated response to DDoS attacks, which is required in this case. Additionally, this solution might require ongoing maintenance of the WAF rules.

Subscribing to Amazon Inspector provides security assessments but does not directly address DDoS attacks or provide a solution with an audit trail for DDoS sources. AWS DDoS Response Team (DRT) engagement is only relevant in the case of large-scale attacks and does not mitigate DDoS attacks without additional measures like AWS Shield Advanced.

AWS Shield Advanced provides proactive DDoS protection and includes detailed DDoS attack diagnostics, an audit trail, and automatic mitigation. Engaging AWS DRT will further improve attack response. This solution offers minimal configuration changes while fulfilling the requirements for mitigating DDoS attacks and auditing the sources.

Using CloudFront with an ALB origin and enabling a WAF web ACL helps filter malicious traffic, but this solution does not offer the same level of comprehensive DDoS protection as AWS Shield Advanced. It also doesn’t provide an integrated, automated DDoS response or the extensive audit trail that Shield Advanced does.