What are the options for Layer 7 DDoS protection of AWS resources

Question

The following are my assumptions based on AWS docs. It's only because the docs do not precisely address my questions that I'm here asking.

1. AWS WAF (whether used directly or via Shield Advanced) is what AWS provides as a service.

2. The pricing structure of WAF means every request incurs a cost, even from IPs that it may decide to block, as it still needs to process and respond. Hence a DDoS attack can result in a cost spike.

3. Services like Route53 and CloudFront have AWS Shield Standard enabled by default, which only protects from layer 3/4 DDoS attacks.

Questions:

1. Are my assumptions correct?
2. I have read articles where customers have mentioned using external services like CloudFlare to provide authoritative DNS, as their layer 7 DDoS protection is far more cost effective. However, wouldn't that only protect from attacks needing IP resolution? I.e., if an attacker has the IP to the AWS service (like Global Accelerator) resolved, can't they attack it directly without needing to go via CloudFlare?
3. Are there any other options for layer 7 protection?

Reflections (no need to read if don't need to):

1. My application (API) would 100% be a candidate for DDoS. I've coded it to be resilient to fraudulent requests that actually make it to the API (SQL injection, etc), as that's on me the application developer's responsibility. What I don't find fair is the customer having to pay for inherent problems with the internet (DDoS protection). AWS (and any cloud provider really) ought to be responsible for controlling DDoS attacks at all levels and integrating this for free to protect their own infra. But what it feels like is making customers share this cost.
2. For normal traffic, the costs of AWS WAF is quite reasonable but if it were just normal traffic, I would not be here concerned. What concerns me is spikes due to layer 7 DDoS attacks where requests are from changing IPs but otherwise seem genuine. 10 billion requests overnight (easily accomplishable via botnets) and I wake up to a 6k bill. So while my application is secure, cost to safeguard (the infra, not the app, the infra) from DDoS makes it virtually impossible for sole-operators/startups like myself to be sustainable.

Answer 1

All of three of your assumptions are correct.

Maybe the reason your question got down-voted is because, like you literally said, all of this information is widely available on the internet, like from their Docs.

As for your questions, there is AWS shield advanced, which is also probably stated in their Docs, and this is considered 'better' in terms of 7 layer protection, but obviously more expensive. There are plenty of theird party WAF solutions like Cloudflare (like you said), Akamai, Imperva, and F5 Networks, all of which have options and extras to protect against all attacks. There are also ADC, which are Application Delivery Controllers, and work in a similar way to WAF solutions, but differentiate by a few small differences.

Ultimately, the best 7 layer protection method will depend on factors specific to your needs, such as budget and your level of expertise. So unless your provide much more information on the specific requirements you have for 7 layer, it is hard to decide from so many different approaches and services.