AWS Certified Security – Specialty SCS-C01 – Question208

A company wants to deploy an application in a private VPC that will not be connected to the internet. The company’s security team will not allow bastion hosts or methods using SSH to log in to Amazon EC2 instances. The application team plans to use AWS Systems Manager Session Manager to connect to and manage the EC2 instances.
Which combination of steps should the security team take? (Choose three.)

A.
Make sure the Systems Manager Agent is installed and running on all EC2 instances inside the VPC.
B. Ensure the IAM role attached to the EC2 instances in the VPC allows access to Systems Manager.
C. Create an SCP that prevents the creation of SSH key pairs.
D. Launch a NAT gateway in the VPC. Update the routing policies to forward traffic to this NAT gateway.
E. Ensure proper VPC endpoints are in place for Systems Manager and Amazon EC2.
F. Ensure the VPC has a transit gateway attachment. Update the routing policies to forward traffic to this transit gateway.