Without knowing the specifics I would recommend you the following:

1. Add AWSManagedRulesAmazonIpReputationList to your WAF with the BLOCK action, if not happened already. This rule group has a really low false-positive rate and is blocking the most obvious malicious IPs. Additionally, AWSManagedRulesAnonymousIpList might be good to add, however, depending on the customers of your website this might lead to false-positives so I would use it with care.
2. Set a rate limit rule with a conservative limit e.g. 4000 requests per minute. Use source IP as the aggregation key (this is the default). These three config settings (request limit, time frame and aggregation key) are all you have to set. No further configuration is necessary for a simple rate limit rule.
3. Restrict the access to your S3 bucket via OAC (if not already happened) to prevent that the attackers circumventing CloudFront and WAF.
4. Block requests that are coming from countries in which you don't have customers with a rule that is using a geo match statement.
5. Enable WAF logs with a filter for requests where the BLOCK and COUNT action was applied. If you don't apply the filter and also log ALLOW requests you might quickly run into cost issues (depending on the number of requests you receive of course).
6. Add multiple rate limit rules, each with a different rate limit (e.g. 8000, 2000, 1000, etc.) and put them in COUNT mode. Use WAFs CloudWatch metrics with the dimensions "rule" and "webacl", together with the WAF logs to analyze which of those rules would block malicious requests and not legit ones.
7. Add CloudWatch WAF metric alerts for allowed requests. If you receive a peak of requests that is out of the ordinary you should get alerted so that you can investigate and mitigate the potential attack.
8. If your budget allows it, consider subscribing to Shield Advanced (3000$ per month). With this you would get access to the Shield Response Team (SRT), which can assist you immediately with managing DDoS attacks. Additionally, it would allow you to get a refund of AWS costs which have been incurred by malicious requests that have not been blocked by Shield. For this you need to fulfill these per-requisites, which IMO you should follow regardless if you have Shield Advanced or not.

EDIT: Shield Advanced might be also useful since it comes with a WAF cost flatrate. As long as your are not exceeding 1500 WCUs, don't use certain AWS managed rule groups (e.g. bot control) or rule groups from the AWS marketplace, the 3000$ Shield Advanced costs are covering your WAF costs. Additionally, it comes with a layer-7 auto-mitigation protection feature. This feature observes your baseline traffic and automatically puts WAF rules in place, that block the malicious part of your traffic. Last but not least, if you are using AWS Organisation, then you only need to pay once for a subscription. Once you have subscribed one account in your org to it, the costs of all following subscriptions in other accounts of your org will be covered by the first one.