The correct answer is D, Security group. A security group in AWS acts as a virtual firewall for EC2 instances, allowing you to control the traffic that is allowed to enter and leave the instance. It operates at the instance level, providing a set of rules that determine which traffic is permitted. In contrast, Network ACLs (A) work at the subnet level and are stateless, meaning they do not track the return traffic from the instance. Elastic network interfaces (B) are used to attach network interfaces to instances in a VPC, but they do not function as a firewall. Amazon VPC (C) is a service that enables the creation of isolated networks within the AWS cloud, but it is not a firewall itself.