How can I set up basic security best practices for my web app?

I'm looking for some guidance on establishing basic security practices for a web application I'm building. I've got some foundational knowledge of AWS, but I want to make sure I'm doing things correctly and would really appreciate any feedback or resources you all might have. I'm fairly new to network and DevOps infrastructure and want to make sure I'm being thorough.

The app I'm working on will generate plotting charts from data provided by a third-party vendor through an API key, with some data stored in an RDS (Postgres) database. Notably, there are no compliance issues since I won't be handling PII, financial information, or anything related to government entities. It's more of a pet project, so I don't expect heavy traffic.

I'm currently concerned about my initial setup, where everything runs on a single EC2 instance in a public subnet, which seems risky. I'm thinking a better approach could involve multiple EC2 instances for different responsibilities:
- Separate instances for the web server (public-facing) and API calls (in a private subnet with NAT).
- Using AWS Secrets Manager for secure storage of sensitive data.
- Possibly including a bastion host for SSH access.
- Implementing an Application Load Balancer (ALB) for HTTPS services and something like AWS Cognito for authentication.

I believe these measures, alongside the use of IAM roles and security groups, will help mitigate major security risks. I've also considered firewalls and CloudWatch for logging, but they seem a bit complex for my current needs. Am I on the right path here? What improvements or advice do you have?