AWS Security Group for RDS - Outbound rules

Question

I have a security group assigned to an RDS instance which allows port 5432 traffic from our EC2 instances.

However, this security group has all outbound traffic enab

Answer 1

When using Security Goups (as opposed to ACL rules) all inbound traffic is automatically allowed in outbound traffic so outbound rules may be empty in your case.

Is this a security risk? What should be the ideal outbound security rule? In my perspective, the outbound traffic for the RDS security group should be limited to port 5432 to our EC2 instances, is this right?

It's a risk only if you RDS is in a public subnet inside your VPC.

Best practices recommend in your scenario to have a public subnet within your web server and a private subnet for all private resources (RDS, other private services, etc).

As you can see in the image, hosting your RDS inside a private subnet there is no way to access it from outside your VPC