Which of the following is a best practice for DDoS protection in AWS?

Enabling AWS Shield for automatic protection is a best practice for DDoS protection in AWS, as it provides a managed DDoS protection service specifically designed to safeguard applications running on AWS. AWS Shield offers two tiers: Standard and Advanced. The Standard tier is automatically included at no extra cost and protects against common DDoS attacks, while the Advanced tier provides enhanced protections, real-time attack visibility, and access to DDoS response team support.

By leveraging AWS Shield, businesses can ensure their applications maintain availability and performance during an attack, effectively mitigating the impact of potential DDoS threats. This approach allows organizations to focus on their core business activities while AWS manages and provides continuous protection against evolving DDoS attack vectors.

Other options may not offer comprehensive DDoS protections. For instance, relying solely on security groups limits the overall protective measures available, as security groups primarily function as virtual firewalls controlling inbound and outbound traffic for Amazon EC2 instances, but they do not specifically address DDoS attacks. Similarly, while setting up static IP addresses may serve specific use cases, it does not inherently enhance protection against DDoS attacks. Implementing AWS Lambda functions for traffic routing does not provide a fundamental layer of DDoS defense either, as