Running any type of service in a cloud involves different security risks. It is important that none of the ports used by Elasticsearch are exposed and accessible from the public internet. EC2 allows detailed control over which ports are accessible and from which IP addresses or subnets. Generally, you should not need to make any ports accessible from outside anywhere other than port 22 in order to log in remotely.

By default, Elasticsearch uses port 9200 for HTTP traffic and 9300 for inter-node communication. It is advisable to change these default ports by editing elasticsearch.yml on all nodes.