Which of the below mentioned ways can be used to provide additional layers of protection to all your EC2 resources?

Answer options:

A.To control AWS API calls to EC2 instances, add policies that have a deny and/or allow permissions on tagged resources.
B.Ensure that the proper tagging strategies have been implemented to identify all of your EC2 resources.
C.Add an IP address condition to policies that specify that the requests to EC2 instances should come from a specific IP address or CIDR block range.
D.All actions listed here would provide additional layers of protection.

Answer - D
Tagging allows you to understand which resources belong to the test, development, and production environment if done properly. Tags enable you to categorize your AWS resources differently, such as by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you`ve assigned to it. Each tag consists of a key and an optional value, both of which you define.
If you have tagging, you can then also allow permissions based on the tags.
You can also use IP Address conditions in IAM policies for denying access to AWS resources.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {"NotIpAddress": {"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]}}
}
}
Options A, B, and C all provide an additional layer of protection to the EC2 instances. Hence, D is the best answer.
For more information on tagging, please see the below link
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html