If you have deployed your resources in a VPC, you are already moving in the right direction. Here we are mostly going to concern ourselves with network security and the tools or features a VPC provides for enhancing it.
These represent our first layer of defense as stated in the AWS documentation. Security Groups (SG) get assigned to EC2 instances (generally speaking) and provide a type of stateful firewall, which supports allow rules only.
They are very flexible and an EC instance can have multiple such groups assigned to it. The rules can be based on host IP addresses, CIDRs or even on other Security Groups, for example, allow inbound
HTTP:80 from group ID
Usually, within a VPC we would create an SG per role, such as web server, db, cache. Instances of the same component would then be assigned the respective SG, thus regulating traffic between the different components of a platform.