Security group for AWS NTP Server

I just try to synchronize time with NTP-Server on EC2 instances:

server 0.amazon.pool.ntp.org iburst
server 1.amazon.pool.ntp.org iburst
server 2.amazon.pool.ntp.org iburst
server 3.amazon.pool.ntp.org iburst

Unfortunately, I couldn't sync with NTP-Server. My question is:

1. Should we have to open ports in security group to allow NTP-Server connect to EC2 instances ?
2. If yes, then how can we know which IP is amazon.pool.ntp.org (it's changing over time) and we cannot open All Traffics

Thanks in advance,
Toan Dao

You need to allow outbound traffic to 0.0.0.0/0 on port 123 on your security group for NTP to work.

If your EC2 instance is in a public subnet, then you only need to allow this on your security group.

But if your EC2 instance is in a private subnet, then you need to allow inbound and outbound traffic on port 123 for your NAT to pass the requests and responses. Inbound is required from your EC2 instance (not the world).