EC2 instances and RDS in public subnets had to be moved and configured to private subnets in their current VPC. .pem files for ssh EC2 would no be longer usable and RDS public access (URL endpoints) would be revoked too. VPC endpoint configuration on the private subnets, and systems manager agents running on the EC2 were the new access point. IAM and EC2 profile roles permissions would let the private access. RDS access is via the EC2 instances acting as bastion via security group