The one downside to security groups though is in the limited reporting available in the AWS Console (which as a general rule, can be said about all features in the AWS Console). The console is good for creating, editing and deleting individual security groups, but is ineffective for understanding even moderately sophisticated configurations.
The other day while on vacation down in Truro, I wrote a simple tool to analyze and report on security group rules across your instances. The work took less than an hour, but allowed be to identify a couple unintended permissions I had granted to my personal infrastructure. I published the tool as a free service this morning at apps.cloudpercept.com, so if you have an interest, please take a look. Feedback is of welcome.