An employee keeps terminating EC2 instances in the production environment. You`ve determined the best way to ensure this doesn`t happen is to add an extra layer of defense against terminating the instances. Which of the following methods is the most appropriate one to add security protection that prevents the employee from terminating the production instances?

Answer options:

A.Tag the instance with a production-identifying tag and add resource-level permissions to the IAM policy of the employee user with an explicit deny on the terminate API call to instances with the production tag.
B.Tag the instance with a production-identifying tag and modify the employee`s group to only start, stop, and reboot API calls and not terminate the instance call.
C.Modify the IAM policy on the user to require MFA before deleting production EC2 instances.
D.Modify the IAM policy on the user to require MFA before deleting all EC2 instances.

Answer: A
Option A is CORRECT because applying the IAM policy restriction would prevent the employee from terminating the production EC2 instance.
Option B is incorrect because this will not allow the entire employee group to terminate the EC2 instance. The ask is only for a specific employee.
Option C is incorrect because adding an additional level of protection using MFA cannot fully prevent the user from terminating the production instances. With option A, the explicit deny rule can stop the employee from terminating the production instances.
Option D is incorrect because it only needs to block the deletion of production EC2 instances.