Correct Answers: Implement AWS Shield Advanced to provide DDoS protection with near real-time mitigation and 24/7 response team support.
Deploy the website behind Amazon CloudFront to cache content at edge locations and absorb traffic surges.

Explanation:
AWS Shield Advanced is designed to protect AWS-hosted applications from large-scale DDoS attacks. It offers advanced threat detection, mitigation at the edge, and access to the AWS DDoS Response Team (DRT), ensuring fast incident response with no downtime.

Amazon CloudFront, AWSs CDN, helps absorb and deflect large bursts of traffic (malicious or legitimate) by serving cached content from edge locations globally. It also integrates with AWS WAF for additional protection.

Why the other options are incorrect:

Amazon GuardDuty is a threat detection service, not a real-time blocker. It detects and alerts but doesnt actively block traffic by itself.
Lambda + network ACLs is not scalable for high-volume DDoS attacks due to ACL entry limits and the slow response time of Lambda-based automation.
Spot Instances can be interrupted at any time, which contradicts the requirement for zero downtime.

Full AWS Practitioner Certification Question