The distinction between public and private service refers to networking: If a service is public, it can be reached from public internet. S3 is a public service, even though by default no user other than root user can access it.
- public internet (e.g. clients) → AWS public zone (e.g. S3) → AWS private zone (e.g. ECS, RDS)
- private services can still be connected from outside via VPN or Direct Connect
- Private services can access internet via Internet Gateway & NAT Gateway.