During DDOS attack, one way to protect against the attacks is to have AWS shield advance. If there is sudden hike in Route 53 , ELB and Cloud Front, usages we may be able to determine a ddos attack by creating cloud watch alarms. My Question is how come we have Route 53 usages? Isnt it a service which costs fixed amount of money ?
I’m thinking what I would do is log API calls (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html) to Route53 via CloudTrail, send the trail to CloudWatch and configure alarms to either alert, display on a dashboard or trigger a Lambda function.