In order to secure ubuntu ec2 instance all port should be closed except port on which you running web server(http port 80, https port 443) on security group applied to ubuntu instance.
but some time you need to login into instance in order to do some maintenance, you need to open port ssh server.
If you have static ip from your connection provider, it is easy, you just need to add rule to open ssh port for that specific ip from aws console.
You can do the same thing with dynamic ip but every time your internet connection public ip change, you need to again add rule from aws console,
Or you can use following command to add your public ip to your security group (You need to have ec2-api-tools setup before using following command h
ttps://help.ubuntu.com/community/EC2StartersGuide),
ec2-authorize <security_group_name> -p 22 -s `w3m -dump http://www.monip.org/ | awk -F': ' '/IP/ { print $2 }' | sed -n 1p`/32
and if you need to specify aws region then,
ec2-authorize <security_group_name> --region <region_name> -p 22 -s `w3m -dump http://www.monip.org/ | awk -F': ' '/IP/ { print $2 }' | sed -n 1p`/32