According to official docs only inbound TCP rule have to be added to sec group.
But how does the response come out? What protocol and port the response comes out back when I type my commands in the terminal?
Or I need only 1 inbound rule to simply ESTABLISH connection and it works both ways - it sends and receives request, response through SSH through this 1 inbound rule?
Security Groups are stateful. They track the originating request and automatically allow responses. Per the official documentation:
Security groups are stateful—if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules. For more information, see Security group connection tracking.