You are absolutely right, thanks for the comment. Probably I forgot these because I had these rules added long time ago to my default security group. I will update the post to reflect this
A better way to do this is to create a separate security group that allows inbound SSH on port 22 and TCP on port 80.
An Cloud Formation example on how it would like:
Notice how we added the SecurityGroups tag under the EC2 instance property, where we referred to the logical ID of the security group created.