You have both production and development based instances running on your VPC. It is required to ensure that people responsible for the development instances do not have access to work on production instances for better security. Which of the following would be the best way to accomplish this using policy with minimal efforts? 

Answer options:

A.Launch the development and production instances in separate VPCs and use VPC Peering.
B.Create an IAM group with a condition that allows access to only those instances which are used for production or development.
C.Launch the development and production instances in different Availability Zones and use Multi-Factor Authentication.
D.Define the tags on the Development and production servers and add a condition to the IAM Policy which allows access to specific tags.

Correct Answer – D
You can easily add tags to define which instances are the production instances and which ones are development instances. These tags can then be used while controlling access via an IAM Policy. Also the question is asking for minimal efforts and overhead and therefore Option D is the CORRECT choice here.
For more information on tagging your resources, please refer to the link below:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
Note:
It can be done with the help of option B as well. However, the question is looking for the "best way to fulfill the requirement using policies".
By using the option D, you can reduce the usage of different IAM Policies on each instance.