Ryan mentioned at about 1:50 in the lecture that the security group would need https to download mysql. Remember that security groups allow "all traffic" outbound by default. This means for this lecture the only port that needs to be defined is inbound ssh. This is the case for most of the lectures I have watched. Other ports need to be defined only if there is a need for inbound traffic to the server (e.g., http/https, sql, icmp, etc.)
Great point thank you!
Port 443 needs to be allowed for the security group of the NAT instance so that the NAT instance can receive routed HTTPS traffic from traffic in private subnets. If port 443 were not allowed, private instances routing their traffic via the NAT instance would have only been able to use HTTP.