[AWS::EC2::SecurityGroup] - [BUG] - CFN prevents creating Security Groups (SGs) with the same name in different accounts within a shared VPC

[harshitjain99]

Name of the resource

AWS::EC2::SecurityGroup

Resource Name

No response

Issue Description

CloudFormation Incorrectly preventing the creation of SG. CFN prevents creating Security Groups (SGs) with the same name in different accounts within a shared VPC when using CloudFormation (CFN). While this is possible manually, attempting it via CloudFormation fails if the SG is created in the participant account first, followed by the owner account.

Expected Behavior

Creating Security Groups (SGs) with the same name in different accounts within a shared VPC should be allowed via CFN.

Observed Behavior

CloudFormation performs a lookup based on the Security Group name. In shared VPC scenarios, the VPC owner account can see all Security Groups across accounts, while participant accounts only see their own.

Test Cases

Replication Notes

1. Create a shared VPC using RAM, here you will going to share a VPC and Subnets from management account to member account.
2. Verify you are able to see management account VPC in member account
3. Now create the SG in member account first

Resources:
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
GroupName: 'my-security-group'
VpcId: 'vpc-xxx'

This will be created successfully

4. Now create the same SG in management account

It will fail, Failed with an error - Resource handler returned message: "Security Group with my-security-group already exists" (RequestToken: xxx , HandlerErrorCode: AlreadyExists)

5. However creating the SG in management account first followed by member account works fine.

Other Details

No response