We are having issues with anonymous users aka xenforo trying to access it.
If this is what I think you're asking about...
Your firewall on AWS should be set to block access to port 9200 from outside, if you are hosting XF and ES on the same server instance. If the forum is hosted elsewhere, you should allow in only the IP address of the remote XF.
Since I host both on the same server for now, I only allow the bare minimum of ports in, so 9200 is excluded already. And network.host is set to "localhost" in elasticsearch.yml (I believe in recent versions, it is set to that by default).
Since I may split ES to its own cloud server in the near future, I am going to use our host's internal IP address (10.0.0.0/8) so requests stay inside their network.