Examples where an AWS Security Group is not sufficient as a firewall?

Currently I am using only an AWS security group for one of my EC2 instances but have given some thought to adding a firewall to that stack as well. I'd be looking at using either iptables, or possibly migrating the entire system to ubuntu (not related to this problem) so might just end up using ufw.

If I leave this machine protected using only the security group, am I missing out on some protection? I haven't been able to get a good feel for its level of protection when compared to a traditional *nix software firewall.


If there's ever a bug or exploit in AWS's security groups implementation, you might wind up vulnerable where having iptables or something similar would've protected you.