A company wants to use AWS Systems Manager to manage a fleet of Amazon EC2 instances.
According to the company’s security requirements, no EC2 instances can have internet access. A solutions architect needs to design network connectivity from the EC2 instances to Systems Manager while fulfilling this security obligation.
Which solution will meet these requirements?
A. Deploy the EC2 instances into a private subnet with no route to the internet.
B. Configure an interface VPC endpoint for Systems Manager. Update routes to use the endpoint.
C. Deploy a NAT gateway into a public subnet. Configure private subnets with a default route to the NAT gateway.
D. Deploy an internet gateway. Configure a network ACL to deny traffic to all destinations except Systems Manager.