Colin Webber
The statement that managed services need to be accessed via the public Internet is no longer entirely true. You mention S3 endpoints and possible future additions to this. VPC endpoints seems to be the more generic term for this and now also supports DynamoDB.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html