I really had to dig for this, but it’s quite simple: $natSG = Get-EC2SecurityGroup -Region $env:AWS_DEFAULT_REGION | ?{$_.Description -eq 'my NAT security group description' -and $_.VpcId -eq $vpcId } $natSgGroupId = $natSG.GroupId $defaultSG = Get-EC2SecurityGroup -Region $env:AWS_DEFAULT_REGION | ?{$_.Description -eq 'default VPC security group' -and $_.VpcId -eq $vpcId } $sourceGroup = New-Object Amazon.EC2.Model.UserIdGrou... $sourceGroup.GroupId = $defaultSG.GroupId $newIpRule = New-Object ......