Which solution meets these requirements?
Enable an AWS WAF web ACL on the ALB, and configure rules to block traffic from unknown sources.
Subscribe to Amazon Inspector. Engage the AWS DDoS Response Team (DRT) to integrate mitigating controls into the service.
Subscribe to AWS Shield Advanced. Engage the AWS DDoS Response Team (DRT) to integrate mitigating controls into the service.
Create an Amazon CloudFront distribution for the application, and set the ALB as the origin. Enable an AWS WAF web ACL on the distribution, and configure rules to block traffic from unknown sources
Explanations:
Enabling an AWS WAF web ACL on the ALB and configuring rules to block traffic from unknown sources can help with filtering malicious traffic, but it may not provide a complete audit trail or a fully automated response to DDoS attacks, which is required in this case. Additionally, this solution might require ongoing maintenance of the WAF rules.
Subscribing to Amazon Inspector provides security assessments but does not directly address DDoS attacks or provide a solution with an audit trail for DDoS sources. AWS DDoS Response Team (DRT) engagement is only relevant in the case of large-scale attacks and does not mitigate DDoS attacks without additional measures like AWS Shield Advanced.
AWS Shield Advanced provides proactive DDoS protection and includes detailed DDoS attack diagnostics, an audit trail, and automatic mitigation. Engaging AWS DRT will further improve attack response. This solution offers minimal configuration changes while fulfilling the requirements for mitigating DDoS attacks and auditing the sources.
Using CloudFront with an ALB origin and enabling a WAF web ACL helps filter malicious traffic, but this solution does not offer the same level of comprehensive DDoS protection as AWS Shield Advanced. It also doesn’t provide an integrated, automated DDoS response or the extensive audit trail that Shield Advanced does.