Are EC2 security group changes effective immediately for running instances?
Seems like yes (quoting AWS documentation):
You can modify rules for a group at any time. The new rules are automatically enforced for all running instances and instances launched in the future.
A simple test of disallowing access to a certain (previously accessible) port also confirmed this.
The 'listen_addresses' directive on postgresql.conf defaults to 127.0.0.1 only. It should be changed to listen_addresses = '*' to accept connections from 0.0.0.0/0