With Chef 11, AWS OpsWorks used to get you to select a template for the layers in your stack; these templates came with a security configuration that let you access the server from the wider world.
Not so with Chef 12. With the newer version, AWS gets out of your way and does as little as possible. The only security group they assign to a layer is the one that lets you SSH in – if you want more than that, you need to add it yourself. For example, if you want to be able to hit a web server, then add then
AWS-OpsWorks-WebApp security group to the layer.
(This is covered in their ‘Getting Started’ guide, but I missed it as I was upgrading from Chef 11.4, not ‘getting started’)