The correct answer is D, Security groups. Security groups act as virtual firewalls for your EC2 instances, controlling both incoming and outgoing traffic based on rules you define. These rules specify the allowed traffic's source and destination, and they can be modified at any time, with changes automatically applied to all associated instances. While AWS WAF (A) is for web access control, Network ACLs (B) operate at the subnet level, and Amazon VPC (C) is for creating virtual networks, none of these directly apply security rules to specific EC2 instances like security groups do.