Thank you @ankgp .
- I created a connection to my private VPC
- I added the relevant security groups to my EC2 (enabling access only from the QS subnet IPs)
- I added a special SQ user with relevant permissions to the MySQL schema
- I had to update my.cnf and disable bind-address, to allow connections from QS
- I did not use SSL for the connection between QS and my EC2 MySQL
The following information pages were helpful too: