I do not understand why he says you can not block a single IP with security groups. It seems quite possible.
Exhibit 1: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-block-or-allow-ips/
you can only do it with Network ACLs
Answering my own question: It finally hit me that allow is not the same as Block
Security groups do not have "Block" rules. So blocking a single IP or a range of IPs while allowing everything else would require creating an allow for all the IP spaces except for the IPs you want to block.
Thank you for your reply! But could you support that with relevant piece of documentation or explanation?