Answer: Cloudfront, AWS Shield

**AWS Shield** and **CloudFront** help in DDoS protection: - **AWS Shield**: AWS's managed DDoS protection service that provides always-on detection and automatic inline mitigations - **CloudFront**: Content Delivery Network (CDN) that helps minimize attack surface by placing resources behind a distributed network, limiting direct internet traffic to infrastructure **Why not the others**: - **AWS EC2**: Virtual servers that can be targets of DDoS attacks, not protection services - **AWS Config**: Service for resource configuration tracking and compliance, not DDoS protection As mentioned in AWS documentation, minimizing attack surface through CDNs (like CloudFront) and using DDoS protection services (like AWS Shield) are key techniques for DDoS mitigation.

Author: Ritesh Yadav