Security group for AWS NTP Server

You need to allow outbound traffic to 0.0.0.0/0 on port 123 on your security group for NTP to work.

If your EC2 instance is in a public subnet, then you only need to allow this on your security group.

But if your EC2 instance is in a private subnet, then you need to allow inbound and outbound traffic on port 123 for your NAT to pass the requests and responses. Inbound is required from your EC2 instance (not the world).

According to AWS's Document

Network Time Protocol (NTP) is configured by default on Amazon Linux instances; however, an instance needs access to the Internet for the standard NTP configuration to work. Your instance's security group must also allow outbound UDP traffic on port 123 (NTP)
source: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html

So we need to allow outbound traffic to 0.0.0.0/0 on port 123 on security group for NTP to work

For anyone visiting more recently, AWS have their own time servers now: https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/ (and also just to re-iterate: you do need time sync on AWS VMs, otherwise they'll drift a noticeable amount after a couple of months).

To use them, you need to configure your NTP server (ntpd or chronyd) to use server 169.254.169.123, and of course open Security Groups for outbound on port 123/udp. This magic IP is within AWS, so doesn't go out of the VPC or onto the Internet.

Just to note, it's usual to include multiple servers and let your client work out the time from all of them. In the AWS case, even though it's only a single IP, you're talking to multiple servers and as such don't specifically need to use multiple IPs. If you're allowed to use Internet NTP servers as well as the AWS one, then there's no harm in configuring multiple, perhaps with a prefer option on the AWS one.