Your firewall on AWS should be set to block access to port 9200 from outside, if you are hosting XF and ES on the same server instance. If the forum is hosted elsewhere, you should allow in only the IP address of the remote XF.
Since I host both on the same server for now, I only allow the bare minimum of ports in, so 9200 is excluded already. And network.host is set to "localhost" in elasticsearch.yml (I believe in recent versions, it is set to that by default).
Since I may split ES to its own cloud server in the near future, I am going to use our host's internal IP address (10.0.0.0/8) so requests stay inside their network.
Were you operating in a VPC? If so, did you open up access to your private IPs (or does the ES service run over public IPs)? Do you mind posting any non-sensitive security-group / policy configs you used to make it work?