AWS Certified Solutions Architect - Professional (#11)

What combination of steps could a Solutions Architect take to protect a web workload running on Amazon EC2 from DDoS and application layer attacks? (Choose two.)

Put the EC2 instances behind a Network Load Balancer and configure AWS WAF on it.
Migrate the DNS to Amazon Route 53 and use AWS Shield.
Put the EC2 instances in an Auto Scaling group and configure AWS WAF on it.
Create and use an Amazon CloudFront distribution and configure AWS WAF on it.
Create and use an internet gateway in the VPC and use AWS Shield.