There is no option for denying traffic for security groups, it's just that you can leave them empty.
So you can define a rule that doesn't do anything so that the default rule is not applied.
You can take reference from the below:
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"CidrIp": "0.0.0.0/0"
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "tcp",
"FromPort": "1",
"ToPort": "1",
"CidrIp": "0.0.0.0/32"
}
]
}
Enroll in this AWS Training to learn AWS in depth.
For more details on AWS CloudFormation, you can check out the video tutorial below.