Which solution will meet these requirements?
Deploy the EC2 instances into a private subnet with no route to the internet.
Configure an interface VPC endpoint for Systems Manager. Update routes to use the endpoint.
Deploy a NAT gateway into a public subnet. Configure private subnets with a default route to the NAT gateway.
Deploy an internet gateway. Configure a network ACL to deny traffic to all destinations except Systems Manager.
Explanations:
Deploying EC2 instances into a private subnet with no route to the internet alone does not provide connectivity to Systems Manager, as it requires some form of network access to communicate with the service.
Configuring an interface VPC endpoint for Systems Manager allows the EC2 instances in the private subnet to connect to Systems Manager without needing internet access. This meets both the security requirements and the need for connectivity.
Deploying a NAT gateway in a public subnet allows instances in private subnets to access the internet, which violates the security requirement of having no internet access for EC2 instances.
Deploying an internet gateway and configuring a network ACL to deny traffic to all destinations except Systems Manager does not ensure that the EC2 instances do not have internet access, as the internet gateway still provides a route to the internet.
I classify that the answer is:
Configure an interface VPC endpoint for Systems Manager. Update routes to use the endpoint.