Mitigating AWS Amplify costs incurred by DDOS and/or Bot traffic.

Hi I'm currently setting up an Amplify services and I'm worried about spiralling egress costs due to bot traffic and other bad actors. I know I can set up a quota using AWS Budget, but I can't find any information on how to mitigate billing getting out of hand in the first place (before my budget quotas are breached and the Amplify service is put on hold). It seems like AWS Shield standard gives some protection against DDOS, but I can't determine if one needs to add products such as Shield WAF on top of Amplify to ward off all that unwanted traffic in the first place. There's plenty of documentation for Cloudfront on this matter, but there seems to be a gap for Amplify - hoping some kind soul could advise.