After you provision the endpoint, you can use the Linux dig command to verify that communication between the Secure Agent and S3 bucket goes through the VPC. To do this, enter the following command and verify that the IP addresses returned are part of the subnet where you created your interface endpoint:
dig s3.<region>.amazonaws.com +short