AWS Certified Advanced Networking - Specialty (#19)

Your company decides to use Amazon S3 to augment its on-premises data store. Instead of using the company’s highly controlled, on-premises Internet gateway, a Direct Connect connection is ordered to provide high bandwidth, low latency access to S3. Since the company does not own a publically routable IPv4 address block, a request was made to AWS for an AWS-owned address for a Public Virtual Interface (VIF). The security team is calling this new connection a “backdoor”, and you have been asked to clarify the risk to the company. Which concern from the security team is valid and should be addressed?

AWS advertises its aggregate routes to the Internet allowing anyone on the Internet to reach the router.
Direct Connect customers with a Public VIF in the same region could directly reach the router.
EC2 instances in the same region with access to the Internet could directly reach the router.
The S3 service could reach the router through a pre-configured VPC Endpoint.