You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below can be used to notify and mitigate the attacks? (Select THREE).

Answer options:

A.Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
B.Use dedicated instances to ensure that each instance has the maximum performance possible.
C.Deploy AWS WAF on an Amazon CloudFront distribution to prevent DDoS attacks to the application.
D.Use an Elastic Load Balancer with Auto Scaling Groups at the Web Application layer to scale up when the traffic is increasing.
E.Create Amazon CloudWatch alarms to alert for a high network in and CPU utilization and notify the team with an SNS notification.

Answer – C, D, and E
This question is asking you to select some of the most recommended and widely used DDoS mitigation techniques.
What is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack is an attack orchestrated by distributed multiple sources that make your web application unresponsive and unavailable for the end-users.
DDoS Mitigation Techniques
Some of the recommended techniques for mitigating the DDoS attacks are 
(i) building the architecture using the AWS services and offerings that can protect the application from such attacks. e.g. CloudFront, WAF, Autoscaling, Route53, VPC, etc.
(ii) defending the infrastructure layer by over-provisioning capacity and deploying DDoS mitigation systems.
(iii) defending the application layer by using WAF and operating at scale by using autoscale so that the application can withstand the attack by scaling and absorbing the traffic.
(iv) minimizing the surface area of attack
(v) obfuscating the AWS resources
Option A is incorrect because ENIs do not help in increasing the network bandwidth.
Option B is incorrect because having dedicated instances performing at maximum capacity will not help mitigate the DDoS attack. What is needed is instances behind auto-scaling so that the traffic can be absorbed while actions are being taken on the attack and the application can continue responding to the clients.
Option C is CORRECT because WAF can protect against DDoS attacks and users can define rules to allow or block traffic.
Option D is CORRECT because ELB helps distribute the traffic to the auto-scaling instances (helps to absorb the traffic).
Option E is CORRECT because CloudWatch alarms can be used to trigger an SNS notification so that the team can be alerted of the high traffic.
Note: Advanced Shield would be a better solution. There is a cost factor attached to it.
It is very important to read the AWS Whitepaper on Best Practices for DDoS Resiliency.
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf