Which solution will meet these requirements?
Use AWS WAF with an upgrade to the AWS Business support plan.
Use AWS Certificate Manager with an Application Load Balancer configured with an origin access identity.
Use AWS Shield Advanced.
Use AWS WAF to protect AWS Lambda functions encrypted with AWS KMS, and a NACL restricting all ingress traffic.
Explanations:
While AWS WAF provides Layer 7 protection against common web exploits, merely upgrading to the AWS Business support plan does not enhance DDoS mitigation capabilities significantly, particularly for Layers 3 and 4, which require more robust solutions like AWS Shield.
AWS Certificate Manager provides SSL/TLS certificates but does not address DDoS mitigation. An Application Load Balancer (ALB) helps with traffic management but does not directly protect against DDoS attacks at Layers 3, 4, or 7.
AWS Shield Advanced offers enhanced DDoS protection for AWS applications, including those hosted on Amazon S3, CloudFront, and Route 53. It provides automatic detection and mitigation of DDoS attacks across all layers, making it the most appropriate choice for comprehensive protection.
While AWS WAF can protect against Layer 7 attacks, restricting ingress traffic with Network ACLs (NACLs) does not effectively mitigate DDoS attacks, especially at Layers 3 and 4. AWS Lambda functions are serverless and don’t typically use NACLs directly, so this approach is incomplete for the stated requirements.