You should update the security group of your instance to only allow inbound access on port 80/443 from the security group attached to the load balancer.
Your load balancer has at least one security group attached such as that below
sg-123456
INBOUND RULES
| Protocol | Port | Source |
--------------------------------
| TCP | 80 | 0.0.0.0/0 |
| TCP | 443 | 0.0.0.0/0 |
You would then update the instance security group to match the below example here sg-123456 is the load balancers security group.
sg-123457
INBOUND RULES
| Protocol | Port | Source |
--------------------------------
| TCP | 80 | sg-123456 |
| TCP | 443 | sg-123456 |
By doing this you prevent anything other than the load balancer performing any HTTP requests on your instance.
You can further increase security of your instance and prevent this scenario by moving your instance into a private subnet so that no one is able to connect to it publicly.
In addition configure the web server you're running to redirect any host name that is not the target hostnames to be the hostname you're expecting.
This can be accomplished by adding a default VHOST that catches any requests, this will be the first that you have added in web servers such as Apache and Nginx. Then add an additional vhost with the ServerAlias set to the domain you're anticipating the user landing on.
By doing this it prevents crawls on your load balancer returning your site.
