EC2 Network Firewall Expected To End Connection That Break Rules
You make an assumption here. It may be your expectation of how it should work, but where is it backed up by AWS official documentation? I suggest reading the documentation, rather than making assumptions about how this will work.
From the documentation :
An existing monitored traffic stream cannot be interrupted when you delete a security group rule that this stream allows. Instead, the flow is interrupted when it is stopped by you or another host for at least a few minutes (or up to 5 days for established TCP connections). For UDP, this may require termination on the far side of the stream. An untracked traffic stream is immediately interrupted if the rule allowing the stream is deleted or changed. For example, if you delete a rule that allows all incoming SSH traffic (0.0.0.0/0) to an instance, then your existing SSH connections to the instance are immediately deleted.
If you want the traffic to be immediately interrupted when you delete the security group rule, you can use the network ACL for your subnet - the network ACLs are stateless and therefore do not automatically allow response traffic. See Network Access Control Lists in the Amazon VPC User Guide for more information.