I’m not a security expert either, so take all of this with a grain of salt! But in your traditional client/server application (let’s say Ruby on Rails) you’d open the database to only your app servers so that literally no one and no thing can access it other than those servers. Of course if someone were to get access to your app servers, you’d be in trouble.
What I would do on AWS was to create a security group for the database, and one for the app servers, and let them talk to each other. Then I’d open port 3306 (MySQL) on the database security group to my house’s IP address, and open up port 22 on the app servers security group to that same IP. There was a load balancer in front of the app servers, and it had port 80 and 443 open to the world. The load balancer’s security group was then allowed to talk to the app servers security group.
Then, IN THEORY, I (really my house) was the only person on earth capable of getting direct access to those servers, everyone else could only talk to the load balancers, and everything else could talk to each other, but behind AWS’s firewalls.
But that all goes out the window in the Jamstack! You kind of need everything available to everyone, all the time. Again, you could lock down the database a little more, but the effort makes it almost a non-starter. We’re hoping that someone like Netlify comes out with a database solution where all of this security is taken care of for us, but we have no idea when something like that may be available.