AWS Certified Security - Specialty (#42)

A company recently experienced a DDoS attack that prevented its web server from serving content. The website is static and hosts only HTML, CSS, and PDF files that users download. Based on the architecture shown in the image, what is the BEST way to protect the site against future attacks while minimizing the ongoing operational overhead?

Move all the files to an Amazon S3 bucket. Have the web server serve the files from the S3 bucket.
Launch a second Amazon EC2 instance in a new subnet. Launch an Application Load Balancer in front of both instances.
Launch an Application Load Balancer in front of the EC2 instance. Create an Amazon CloudFront distribution in front of the Application Load Balancer.
Move all the files to an Amazon S3 bucket. Create a CloudFront distribution in front of the bucket and terminate the web server.