An employee unknowingly keeps terminating EC2 instances on the production environment. You want to restrict the user from terminating the production instances or add an extra layer of defense before he tries to do that next time. Which of the following options are suitable? (Select TWO.)

Answer options:

A.Tag the instances with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag.
B.Tag the instances with a production-identifying tag. Give the IAM user an implicit deny on the EC2 terminate API call for all the EC2 instances.
C.Modify the IAM policy on the user to require MFA before deleting EC2 instances and disable MFA access to the employee.
D.The user should be authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.

Correct Answer: A & D
The key point to this question is the “extra layer of defence against terminating the instances”.
Option A is CORRECT because with tags you can explicitly deny an action. Check the following example:
{
"Sid": "DenyDelete",
"Action": [
"ec2:TerminateInstances"
],
"Effect": "Deny",
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:ResourceTag/Production": "true"
}
}
}
From the article below:
“In some contexts, you may optionally choose to explicitly deny a group of users the ability to manage specific instances. Explicit denial policies are not generally required since IAM is deny-all by default. But the use of an explicit deny policy can provide an additional layer of protection since the presence of a deny statement will cause the user to be denied the ability to act even if another policy statement would have allowed it.” 
For more information
https://aws.amazon.com/blogs/security/resource-level-permissions-for-ec2-controlling-management-access-on-specific-instances/
Option B is incorrect. While it starts correctly by tagging production instances, it does not use the production tag in the IAM policy. Besides, the IAM policy should contain an explicit deny instead of an implicit deny.
Option C is incorrect because disabling MFA removes layers of protections rather than adds them. 
Option D is CORRECT because it ensures that an AWS MFA device authenticates the user before the employee can delete objects (termination protection for instances). The following condition can be added to the IAM policy:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
From the article below:
“You can also set conditions that require the use of SSL or MFA (multi-factor authentication). For example, you can require that a user has authenticated with an MFA device in order to be allowed to terminate an Amazon EC2 instance.”
For more information
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html#MFAProtectedAPI-resource-policies