postfix: is firewall-cmd / iptables needed on an Amazon Linux 2 EC2 for email if the security group is used?

If there is no firewall running on the instance, or if the rules allow all traffic, just open the ports in AWS Security Group. On Amazon Linux, the default rules allow all incoming and outgoing traffic.

However, if there is a firewall with restrictive ones running on the instance, you may have to open the ports in the firewall in addition to opening the ports in AWS Security Group.

Typically, in AWS, people will only use security groups. However, using a local firewall is an option if the situation warrants.