Security Groups on AWS by default blocks all, so you can just define what you allow. As a result, you cannot block an IP using Security Group, e.g. to prevent a specific IP to access to your web port
ACL is right there for that need. You need to define the IP/IPs which you want to block and remember to keep the rule 100 always in place:)