1) Setting Security Group is easy and important layer of security. If you are running any web app than port 80/443 are one that to be open to the world and 22 for accessing server remotely via ssh should be allowed from a particular IP address only. Other than these 3 ports all traffic will be blocked. You can test with Port Scanning or NMAP tool.
2) Limit access for SSH to a your static IP address only and also for accessing EC2 Instance via ssh you need a key. If attacker somehow get to know your IP address he/she cannot access your server without key.
Note :- If you are using CDN(CloudFlare) than your EC2 Static IP is already hidden.
3) You can limit the amount of concurrent connections from the same IP address to your server.
You can use linux firewall rules for that :-
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
iptables-save >/etc/iptables.up.rules
The first line will Watch the IP connecting to your eth0 interface.
The second line will Check if the connection is new within the last 60 seconds and if the packet flow is higher than ten and if so it will drop the connection.
The third line will Make the rules persistent in case of a reboot.
To verify the number of concurrent connections from all clients that are connected to your server :-
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
It will show a list of the current active connections by IP address and the offending IP is usually the one with a high number of connections.
12 10.1.1.1
160 162.19.17.93
In the example above the first number is the number of connections followed by the Originating IP address.
Note :- In a heavily loaded server the number of connections may be above 100, but during DDOS attack the number will go even higher. For an average host, if you have more than 30 connections from a single IP, chances are you are under attack. If more than 5 such IP/Host connected from same network , that's a very clear sign of DDOS attack.
Output of lsof
,netstat
and tcpdump
are very useful in detecting such type of issues.
Now you get the IP address of the client you can use IPtables to block that IP or tcpkill command to do so. TCPKILL is part of dsniff package.
apt-get install dsniff
Then issue :-
tcpkill host x.x.x.x
The above method is good and it will help you to mitigate small DDOS Attack if applied correctly. Now if you are using CDN ( CloudFlare ) than you can block the attacker at that level only. You can use CloudFlare API to block the IP address. In this traffic will not come to you server.
Read more at CloudFlare API Doc
Refer to above method and create a script that will help you in automation.
4) In my opinion CloudFlare is better than CloudFront. CloudFlare is easy to setup and from one control panel you can handle everything. Even if you find heavy amount of unnecessary traffic than cloudflare "I am Under Attack" mode will mitigate it in under 5-10 seconds.
Read more about DDOS and I'm Under attack mode in Cloudflare Blogs.
5) You can setup AWS Alarms to stop/Terminate EC2 instance if your Network Bandwidth exceeds the limit.
AWS Alarm Sample
Edit:- One important thing is try to setup Monitoring tool (Like Nagios) and Log Management tool of web app access. This will help you to find the bottleneck.
Best Answer
AWS WAF will not work in your use case unless you use an Application Load Balancer
If you're not using one of these technologies AWS WAF will not work for you.
I understand you do not want to use an Application Load Balancer but Lightsail does support it. If you were to use it then you could use AWS WAF.
References
Lightsail with other AWS Services
AWS WAF FAQ