For example, I have an instance, and using a Security Group allowing income traffic from only my own IP address. My question is: if an attacker got the instance IP address, is there still any way he can attack(something like DDOS) my instance?
It is pretty difficult for most people to spoof an ip address. It is even more difficult for them to guess the IP address you're allowing through the AWS security group to the instance. Still harder is completing a TCP handshake with a spoofed IP, so I'd say you're pretty safe.