FedRAMP's Rev 5 from last year specifies the need to at minimum protect against a few types of attacks:
prevent specific denial-of-service (DoS), including ICMP (ping) flood, SYN flood, slowloris, buffer overflow attacks, and volume attacks.
All of AWS's documentation points to using Cloudfront to protect specifically against slowloris. Say I have a web app hosted in EKS behind an ALB, do I really need Cloudfront to do this? Even the documentation for AWS WAF and Shield mostly just mention using Cloudfront for this.
Specifically though, Cloudfront doesn't have FedRAMP authorization beyond Moderate, so I'm wondering if I really have to go get another product (another CDN or LB) in such an environment, or if AWS WAF/Shield on an ALB is enough.
Edit: It's worth mentioning I can also protect specifically against slowloris by using NGINX (Ingress which makes an NLB), but then I'm unable to use WAF.