EC2 > Instances > Launch an instance ; for Application and OS Images Firewall necessary? even after setup security group

Security groups and UFW have overlap in what they do for your instance. They both can block traffic based on port, protocol and source addresses, but UFW has many additional features:

• automatically blocking addresses for incorrect authentication attempts
• reporting and logging with rsyslog support
• packet forwarding
• scripting support for automation
• integration with web hosting panels (WHM and Plesk for example)

Security groups have a few advantages over software firewalls; API support and IAM integration are just a few examples. In a fleet of hundreds of instances it's often a more simple approach to change 1 security group rule than to change the UFW configuration of each instance individually. Software firewalls also consume resources within the operating system. If you add enough rules eventually the system can slow down as it checks each rule for every connection. Using security groups offloads this work for more efficient filtering.

My recommendation is to start with security groups and then to only add a software firewall if these additional features are needed. Many customers use security groups and network ACLs without any software firewall, but there is certainly nothing wrong with adding one for a specific use case.

https://help.ubuntu.com/community/UFW https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html