diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go
index 5b78524a4..1618e9ae4 100644
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@@ -49,8 +49,8 @@ func resource_aws_security_group_create(
 
 	// Wait for the security group to truly exist
 	log.Printf(
-		"[DEBUG] Waiting for SG (%s) to exist",
-		s.ID)
+		"[DEBUG] Waiting for Security Group (%s) to exist",
+		rs.ID)
 	stateConf := &resource.StateChangeConf{
 		Pending: []string{""},
 		Target:  "exists",
@@ -59,7 +59,7 @@ func resource_aws_security_group_create(
 	}
 	if _, err := stateConf.WaitForState(); err != nil {
 		return s, fmt.Errorf(
-			"Error waiting for SG (%s) to become available: %s",
+			"Error waiting for Security Group (%s) to become available: %s",
 			rs.ID, err)
 	}
 
@@ -175,7 +175,9 @@ func resource_aws_security_group_update_state(
 			n["security_groups"] = flattenSecurityGroups(perm.SourceGroups)
 		}
 
-		ingressRules = append(ingressRules, n)
+		// Reverse the order, as Amazon sorts it the reverse of how we created
+		// it.
+		ingressRules = append([]map[string]interface{}{n}, ingressRules...)
 	}
 
 	toFlatten["ingress"] = ingressRules
diff --git a/builtin/providers/aws/resource_aws_security_group_test.go b/builtin/providers/aws/resource_aws_security_group_test.go
index 759381f0b..0b5876fd0 100644
--- a/builtin/providers/aws/resource_aws_security_group_test.go
+++ b/builtin/providers/aws/resource_aws_security_group_test.go
@@ -262,8 +262,8 @@ resource "aws_security_group" "web" {
 
     ingress {
         protocol = "tcp"
-        from_port = 80
-        to_port = 8000
+        from_port = 22
+        to_port = 22
         cidr_blocks = ["10.0.0.0/8"]
     }