A company is deploying a new web application on AWS. Based on their other web applications, they anticipate being the target of frequent DDoS attacks. Which steps can the company take to protect its application? Select 2 answers from the options given below.

Answer options:

A.Associate the EC2 instances with a security group that blocks traffic from blacklisted IP addresses.
B.Use an AWS Application Load Balancer and Auto Scaling group to scale to absorb malicious traffic.
C.Use Amazon Inspector on the EC2 instances to examine incoming traffic and discard malicious traffic.
D.Use CloudFront and AWS WAF to prevent malicious traffic from reaching the application.
E.Enable GuardDuty to block malicious traffic from reaching the application.

Answer: B and D
Option A is incorrect because during a DDoS attack, a large number of IP addresses may be used, and the Security Group cannot blacklist IPs.
Option B is CORRECT because by doing this we can have the application available to cater to the users during a time of an ongoing DDoS attack.
Option C is incorrect because AWS Inspector cannot be used to examine traffic, hence cannot confirm when a DDOS attack is occurring on the infrastructure.
Option D is CORRECT because AWS WAF is the recommended service to protect against DDoS attacks.
Option E is incorrect because GuardDuty is used as a continuous security monitoring service but does not protect against DDoS attacks on the entire application.
The below diagram from AWS shows how to avoid DDoS attacks using services such as AWS Cloudfront, WAF, ELB and Autoscaling:
For more information on DDoS mitigation from AWS, please visit the below URL:
https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/