Your current web application is hosted on a set of EC2 Instances placed behind an Application Load Balancer. All the Security groups and NACLs have been put into place for tight security. What extra measures can be taken to ensure the blocking of DDoS attacks?

Answer options:

A.Consider placing an AWS Shield Advanced service in front of the Application Load balancer.
B.Consider placing an AWS PrivateLink service in front of the Application Load balancer.
C.Consider placing an AWS Shield Standard service in front of the Application Load balancer.
D.Consider adding the more restrictive rules to the Network ACLs.

Answer – A
The AWS Documentation mentions the following.
For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. Whereas AWS WAF can mitigate DDoS attacks at layer 7 of the OSI reference model. Therefore,
Option A is the correct answer.
Option B is incorrect because AWS PrivateLink is used to provide an endpoint for a service.
Option C is incorrect because AWS Shield Standard is already a service present. It defends against the most common, frequently occurring network and transport layer (at layers 3 and 4 of the OSI reference model) DDoS attacks that target your website or applications.
Option D is incorrect because it is just a distractor you need a better effective mechanism for protecting against DDoS attacks.
Reference: 
https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc