Usage of Gateway endpoint

You can check the Gateway endpoint documentation to understand better how those works.

When you create a Gateway endpoint you will add a route in the route table of your VPC so the connections to S3 will be redirected to that path instead of using the public internet. Have a look at the routing section of the gateway documentation.

I leave you also this video where you can see a quick guide to how set up and use a S3 gateway endpoint (from beginning until minute 3).

Hi, this is Abhi from AWS. There are multiple ways of verifying. Here are a few:

1. Subnet Route Table Review: Review the Subnet Route table of the subnet where the EC2 instance resides. Does it have a route to NAT Gateway, NAT instance or Internet Gateway (IGW)? If it does not, that in itself proves that the communication between the EC2 instance and the S3 bucket is via Gateway Endpoint for S3. If there is a route, then Step 2 and/or Step3 can be leveraged to get additional verification data.
2. CloudTrail: You can review the CloudTrail logs, filter them based on the action you perform, for example, a get or a put. If the API call leveraged the Gateway Endpoint, you should see the field vpcEndpointId, which identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.
3. Server Access Logging: Server access logging provides detailed records for the requests that are made to an Amazon S3 bucket. Among other fields, it contains a field called "Remote IP" which can be defined as The apparent IP address of the requester. Intermediate proxies and firewalls might obscure the actual IP address of the machine that's making the request. In the case of Gateway Endpoints for S3, this should be the private IPv4 address of the EC2 instance making the request. The following is an example of a log where the "Remote IP" is 192.0.2.3:

79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DOC-EXAMPLE-BUCKET1 [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - "GET /DOC-EXAMPLE-BUCKET1?versioning HTTP/1.1" 200 - 113 - 7 - "-" "S3Console/0.4" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader DOC-EXAMPLE-BUCKET1.s3.us-west-1.amazonaws.com TLSV1.2 arn:aws:s3:us-west-1:123456789012:accesspoint/example-AP Yes

As a best practice, to have fine grain control on which resources can access a specific bucket, you can use Bucket Policies. As referenced in the linked re:Post article, you can use a bucket policy to specify which VPC endpoints, VPC source IP addresses, or external IP addresses can access the S3 bucket.