The AWS Elastic Load Balancing FAQ has this very relevant question:
Can I configure my Amazon EC2 instances to only accept traffic from the Elastic Load Balancer?
followed by an ever so helpful response:
Seriously - no links, no reference to documentation, nothing. With such a tremendous investment in infrastructure you'd think Amazon might spend a day or two on documentation...alas.
Insult to injury it's also not at all obvious what you need to do to configure your Security Group to support this very commonly desired configuration. I'm here to help.
Use the not-so-documented 'amazon-elb/amazon-elb-sg' Security Group name as the Inbound Source for your Security Group rule to filter on traffic coming from your AWS ELB. Enjoy!