Best Practices - Security Rule for Accessing AWS RDS from Galaxy?

I have a postgres database hosted on AWS RDS. I’d like to be able to access it from a Meteor/Apollo app hosted on Galaxy. What’s the correct way to set up my inbound security rules on AWS? Do I have to permit inbound traffic from all IP addresses (ip ==, and rely on username/password for security?