Is firewall-cmd/iptables needed on an EC2 Amazon Linux 2 for email if using Security Group?
If there is no firewall running on the instance, or the rules allow all traffic, then just opening the ports in the AWS Security Group will suffice. On Amazon Linux, the default rules allow all inbound and outbound traffic.
However, if there is a firewall with restrictive rules running on the instance, you may have to open the ports in the firewall in addition to opening the ports in the AWS Security Group.
Typically, people will just use the AWS security groups. However, using a local firewall is an option if the situation warrants it.