I would enable the firewall, even on AWS. And, I would go so far as to suggest it should be on by default. That would make users explicitly turn it off if they don't want it. Maybe I am paranoid as I have had a system compromised but err on the side if safety. Imho, root access for ssh should always be disabled. Using sudo forces log messages to be written that can easily be monitored for intrusion detection. As you mention, not all security patches are deployed automatically. You must be diligent in monitoring for them and applying them if they impact your threat model.
I would enable the firewall,
I would enable the firewall, even on AWS. And, I would go so far as to suggest it should be on by default. That would make users explicitly turn it off if they don't want it. Maybe I am paranoid as I have had a system compromised but err on the side if safety. Imho, root access for ssh should always be disabled. Using sudo forces log messages to be written that can easily be monitored for intrusion detection. As you mention, not all security patches are deployed automatically. You must be diligent in monitoring for them and applying them if they impact your threat model.