Security groups should support deny rules (and ordering)
Having the ability to manage and update security groups is great, thank you for adding that!
One thing that would be nice is the ability to set deny rules - not just allow rules. In order to use that effectively, it should be possible to reorder the rules in a security group.
(Use case: allow a port from a wide IP range, but then deny it to certain IPs)