AWS Network ACL/Security groups and RDS access

Just want to clarify a few settings on a new Amazon setup I'm creating. I have followed a number of guides and everything appears to be working and secure, I'd just really appreciate if someone who is a little more clued up on security could give this a quick look over.

I'm aiming for HTTP and HTTPS access to the EC2 instances and SSH access to only specific EC2 instances which will be limited by IP.

Network ACLs configured for access only to SSH, HTTP(S).

Inbound:
SSH   - Source 0.0.0.0/0 - Allow
HTTP  - Source 0.0.0.0/0 - Allow
HTTPS - Source 0.0.0.0/0 - Allow
ALL   - Source 0.0.0.0/0 - Deny

Outbound:
ALL   - Destination 0.0.0.0/0 - Allow

'HTTP' Security group, applied to all web based and admin EC2 servers.

Inbound
HTTP  - Source 0.0.0.0/0
HTTPS - Source 0.0.0.0/0    

Outbound
ALL   - Destination 0.0.0.0/0

'SSH' Security Group, applied to the admin EC2 server.

Inbound
SSH   - Source MYIP/32

Outbound
ALL   - Destination 0.0.0.0/0

'DB' Security Group, applied to the RDS with public accessibility set to disabled.

Inbound
MySQL - Source 174.20.0.0/20 (VPC CIDR)

Outbound
ALL   - Destination 0.0.0.0/0

If I ever need direct MySQL access the plan would be to create a SSH tunnel through the admin EC2 server. Works fine.

Given in the above config I should only ever be able to access my setup via ports 22, 80 and 443. Why if I do the following on my local machine:

mysql -h db-instance.abcdef12345.eu-west-1.rds.amazonaws.com -unicksuser -p

Does it connect and ask me for a password?

I can't actually access the server with correct details mind you, it just feels like this shouldn't be accessible and never even ask for a password.