An organization runs several EC2 instances inside a VPC using three subnets, one for Development, one for Test, and one for Production. The Security team has some concerns about the VPC configuration. It requires restricting communication across the EC2 instances using Security Groups.
Which of the following options is true for Security Groups related to the scenario?

A) Security Groups operate at the subnet level.
B) Security Groups are stateful, meaning they track the state of the instance.
C) Security Groups are applied at the instance level.
D) Security Groups are independent of the VPC.