A firewall like UFW is running at the OS level, while Amazon
Security Groups are running at the instance level.
Traffic coming into the EC2 would first pass through the SG,
and then be evaluated by UFW. Take a scenario where traffic
is explicitly allowed to pass through the SG but UFW denies
it -- in this case UFW would sort of 'override' the settings in the SG.