In the AWS Certified Solutions Architect - Associate (SAA-CO2) course when looking at the lesson of Compute > Security Groups > A deeper look. The instructor talks about letting traffic out of an instance by adding an outbound rule. If you are running a MySQL, then you have to add both the inbound rule and the outbound rule for MySQL.
My understanding is that Security Groups are Stateful - meaning that if you allow something in, then it will automatically allow traffic out, as long as its the same request.
The Stateless part are network ACLs - where you would need to specify in both directions.
I think that I am right - from the documentation from AWS:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
"Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules."
However, just wanted to make sure that I'm not missing something here?