firewalls – What are the best practices to configure security group in AWS web application?

I have a website hosted on AWS EC2, and I have some questions about security.

How is the best way to protect my web application in AWS?

Can I open the HTTP (80) and HTTPS (443) to the world (0.0.0.0/0)?

About the SSH port (22), can I open it to the world as well considering that it is only accessed with public_key, or the best solution is to restrict to a specific IP to access the SSH port and change the port (ex: 1337)?