Traffic to and from S3 and EC2 (in a public subnet) doesn’t go over the public Internet in the same region.The traffic goes to the “AWS edge” (Internet Gateway) in that region. It is the “public Internet” in the sense that you need an Internet Gateway, and S3’s endpoints are Internet-facing. However, the traffic does not move beyond the AWS-controlled networks if you stay within the same region. The EC2 Instances (or other AWS services) traffic simply travels via the Internet Gateway to S3. Obviously, for EC2 instance in private subnets they traffic would need to go through a NAT instance.