A company is reviewing a recent migration of a three-tier application to a VPC. The security team discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and egress rules between the application tiers. What should a solutions architect do to correct this issue?

• ACreate security group rules using the instance ID as the source or destination.
• BCreate security group rules using the security group ID as the source or destination.
• CCreate security group rules using the VPC CIDR blocks as the source or destination.
• DCreate security group rules using the subnet CIDR blocks as the source or destination.