diff --git a/CHANGELOG.md b/CHANGELOG.md
index 496559b..0721b23 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -47,6 +47,10 @@
   - ois-scanner
    - update to use prefix list ois-scanner.base
 
+* 2.4.0 -- 2024-12-09
+  - rds-postgres
+   - update to use prefix list(s) as variable prefix_list_names
+
 # OLDER
 
 ## web
diff --git a/common/version.tf b/common/version.tf
index 03d330b..f403a49 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.3.0"
+  _module_version = "2.4.0"
 }
diff --git a/rds-postgres/README.md b/rds-postgres/README.md
index 9cc7a1d..0ed01c6 100644
--- a/rds-postgres/README.md
+++ b/rds-postgres/README.md
@@ -13,6 +13,7 @@ module "postgres" {
   vpc_id = var.vpc_id
   ## optional
   # name = "m-postgres-db"
+  # prefix_list_names = [ "rds-postgres.edl.project" ]
 
   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
   # tags = { }
@@ -23,13 +24,14 @@ module "postgres" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 
 ## Modules
 
@@ -40,6 +42,7 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_security_group.this_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_ec2_managed_prefix_list.prefix_list](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_security_group.egress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.ingress_security_groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_vpc.this_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
diff --git a/rds-postgres/main.tf b/rds-postgres/main.tf
index 21126bb..f7dd256 100644
--- a/rds-postgres/main.tf
+++ b/rds-postgres/main.tf
@@ -14,6 +14,7 @@
 *   vpc_id = var.vpc_id
 *   ## optional
 *   # name = "m-postgres-db"
+*   # prefix_list_names = [ "rds-postgres.edl.project" ]
 *
 *   ## tags for Name, CostAllocation, and Environment are pre-set, but they can be overriden
 *   # tags = { }
@@ -63,6 +64,22 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+
+  # ingress with prefix lists
+  ingress {
+    for_each = length(var.prefix_list_names) > 0 ? local.port_map["external"] : {}
+    iterator = p
+    content {
+      description     = "${local.short_description}: ${p.value["description"]}"
+      from_port       = p.value["from"]
+      to_port         = p.value["to"]
+      protocol        = p.value["proto"]
+      cidr_blocks     = length(p.value["cidr"]) == 0 ? local.external_ingress_networks : p.value["cidr"]
+      prefix_list_ids = [for pl in data.aws_ec2_managed_prefix_list.prefix_list : pl.id]
+    }
+  }
+
+
   # ingress security group ids (all)
   dynamic "ingress" {
     for_each = local.ingress_sg
@@ -89,6 +106,7 @@ resource "aws_security_group" "this_security_group" {
     }
   }
 
+
   # egress all
   egress {
     description = "${local.short_description}: All"