And the s3 buckets/dynamodb/whatever other data you store should be vpc restricted. Ours are like this by default, for exceptions (like aws services that run in some internal vpc that's not exposed) you can make an exception per role.