Are EC2 security group changes effective immediately for running instances?

Solution 1:

Seems like yes (quoting AWS documentation):

You can modify rules for a group at any time. The new rules are automatically enforced for all running instances and instances launched in the future.

A simple test of disallowing access to a certain (previously accessible) port also confirmed this.

Solution 2:

The 'listen_addresses' directive on postgresql.conf defaults to 127.0.0.1 only. It should be changed to listen_addresses = '*' to accept connections from 0.0.0.0/0