Using VPC Endpoints to Access Systems Manager
Protecting Managed Instances
AWS explains that, to improve the security posture of your managed instances, you can configure AWS Systems Manager to use an interface VPC endpoint. An interface VPC endpoint enables you to connect to services powered by AWS PrivateLink, a technology that enables you to privately access Amazon EC2 and Systems Manager APIs by using private IP addresses. This means that your managed instances don't have access to the Internet.
For more information, visit the AWS documentation on creating VCP endpoints.
If the organization uses Systems Manager to manage instances that do not have Internet access, a VPC endpoint will have to be created to allow access to those instances that do not have Internet access. The information you’re going to need to create that VPC endpoint is going to be the VPC, the subnets, you’re going to have to enable DNS, and you’re going to have to have security groups configured.