An additional control layer is to verify outgoing traffic (Outbound VPC traffic), to ensure that your instances are only communicating where it is desirable and expected, like connecting to the manufacturer of an operating system or application for updates, and not to malicious URLs/IP addresses, or establishing tunnels for remote access.
There are multiple ways to control outgoing traffic on AWS.
With Route 53 Resolver DNS Firewall you can filter and regulate outbound DNS traffic for your virtual private cloud (VPC). It’s recommended to deny access to all domains except for the ones that you explicitly trust. It’s easy to implement and simple to deploy thru AWS Firewall Manager in a multi-account environment.
Note: This type of firewall will not prevent an outgoing connection to a IP address, but most malware outgoing connections are to URLs, and many time the infection can be prevented by disallowing the fetching of the malware in the first place.
You can also use any of the Next-Gen Firewall / UTM solutions available in the AWS Marketplace to filter outgoing traffic.
Use AWS PrivateLink To establish private communications with the VPCs of your business associates when possible, so that such traffic does not go over the internet.
The following blogpost explains how to deploy a proxy (Squid) for outgoing traffic filtering and provides a CloudFormation template to facilitate its deployment:
If there is a SIEM consider sending the logs of the service (or virtual appliance) filtering trafic (such as Next-gen firewalls or proxys) for the detection of Shadow IT, and the configuration of other alerts.