AWS Certified Advanced Networking - Specialty (#22)

You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URL, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Select two.)

Include s3.amazonaws.com in the whitelist.
Create a VPC endpoint for S3.
Run Squid proxy on a NAT instance.
Deploy a NAT gateway into your VPC.
Utilize a security group to restrict access.