Day 1 said NAT Gateway can become an exfiltration path. App Tier reading objects from S3 usually exits to Internet via NAT. But NAT allows outbound broadly — whether to S3 or attacker''s server, it doesn''t distinguish. When a compromised instance using stolen creds exfiltrates company data to external S3 bucket, NAT can''t stop it.
VPC Endpoint solves this problem fundamentally. Connect to AWS services (S3, DynamoDB, KMS, Secrets Manager, etc.) without the Internet, privately inside the AWS backbone. Removing the Internet route removes the exfiltration path itself