At time 2.35, you enabled inbound https which is not needed if you want to access the internet to download stuff (outbound https), correct?
Yes. Security Group Inbound rules have nothing to do with initiated outbound requests. They are only applicable if you are running an web server, and needs to allow external clients to get access to your application.
Yes, SG are stateful!