My team uses a squid proxy to control egress for AWS VPCs, all integrated into our CDK scripts. The CDK script states the allowlist (including AWS endpoints) for the VPC, and squid enforces it, including DNS. It works beautifully well. Locking down egress is one of the best defense in depth measures, as it makes it difficult for threat actors to download their tools and talk to their C2.