A company wants to use AWS Systems Manager Patch Manager to patch Amazon EC2 instances that run Amazon Linux 2.The EC2 instances are running in a single AWS account.No internet connectivity is allowed from any EC2 instances in the account.A security engineer has configured the relevant settings in Patch Manager.The security engineer now needs to ensure that the EC2 instances can connect to the Systems Manager endpoint.
Which combination of steps must the security engineer take to meet these requirements?
(Choose three.)
Create a gateway VPC endpoint for com.amazonaws.[region].s3.
Create VPC endpoints for com.amazonaws.[region].ec2messages and com.amazonaws.[region].ssm.
Create a NAT gateway.
Update the route tables to route Systems Manager traffic through the NAT gateway.
Update the route tables with a route to the gateway VPC endpoint.
Update the route tables to route the update traffic through the NAT gateway.