Thanks Marc,
I'd have to say that's the most inconvenient thing I've found in Scalr. It's seems difficult to explain to user that Farm-Roles are just meta-data describing a desired state and that meta-data is only applied at the startup.
I may end up making some sort of short video explaining this concept.
I should have found those links in the documentation. In fact, I think I did, but my users are coming from an OpenStack environment where they just self-serviced their own firewall rules while the instances were up and running. It's a paradigm shift.