diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go
index 06f61b76e..b8669d97f 100644
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@@ -80,7 +80,11 @@ func flattenIPPerms(list []ec2.IPPerm) []map[string]interface{} {
 		n["protocol"] = perm.Protocol
 		n["to_port"] = perm.ToPort
 		n["cidr_blocks"] = perm.SourceIPs
-		n["security_groups"] = flattenSecurityGroups(perm.SourceGroups)
+
+		if v := flattenSecurityGroups(perm.SourceGroups); len(v) > 0 {
+			n["security_groups"] = v
+		}
+
 		result = append(result, n)
 	}
 
diff --git a/builtin/providers/aws/structure_test.go b/builtin/providers/aws/structure_test.go
index c114d06e0..803e4f376 100644
--- a/builtin/providers/aws/structure_test.go
+++ b/builtin/providers/aws/structure_test.go
@@ -56,31 +56,63 @@ func Test_expandIPPerms(t *testing.T) {
 }
 
 func Test_flattenIPPerms(t *testing.T) {
-	rawIp := []ec2.IPPerm{
-		ec2.IPPerm{
-			Protocol:  "icmp",
-			FromPort:  1,
-			ToPort:    -1,
-			SourceIPs: []string{"0.0.0.0/0"},
-			SourceGroups: []ec2.UserSecurityGroup{
-				ec2.UserSecurityGroup{
-					Id: "sg-11111",
+	cases := []struct {
+		Input  []ec2.IPPerm
+		Output []map[string]interface{}
+	}{
+		{
+			Input: []ec2.IPPerm{
+				ec2.IPPerm{
+					Protocol:  "icmp",
+					FromPort:  1,
+					ToPort:    -1,
+					SourceIPs: []string{"0.0.0.0/0"},
+					SourceGroups: []ec2.UserSecurityGroup{
+						ec2.UserSecurityGroup{
+							Id: "sg-11111",
+						},
+					},
+				},
+			},
+
+			Output: []map[string]interface{}{
+				map[string]interface{}{
+					"protocol":        "icmp",
+					"from_port":       1,
+					"to_port":         -1,
+					"cidr_blocks":     []string{"0.0.0.0/0"},
+					"security_groups": []string{"sg-11111"},
+				},
+			},
+		},
+
+		{
+			Input: []ec2.IPPerm{
+				ec2.IPPerm{
+					Protocol:     "icmp",
+					FromPort:     1,
+					ToPort:       -1,
+					SourceIPs:    []string{"0.0.0.0/0"},
+					SourceGroups: nil,
+				},
+			},
+
+			Output: []map[string]interface{}{
+				map[string]interface{}{
+					"protocol":    "icmp",
+					"from_port":   1,
+					"to_port":     -1,
+					"cidr_blocks": []string{"0.0.0.0/0"},
 				},
 			},
 		},
 	}
 
-	toFlatten := make(map[string]interface{})
-	toFlatten["ingress"] = flattenIPPerms(rawIp)
-
-	perms := flatmap.Flatten(toFlatten)
-
-	if perms["ingress.0.protocol"] != "icmp" {
-		t.Fatalf("bad protocol")
-	}
-
-	if perms["ingress.0.security_groups.0"] != "sg-11111" {
-		t.Fatalf("bad security group")
+	for _, tc := range cases {
+		output := flattenIPPerms(tc.Input)
+		if !reflect.DeepEqual(output, tc.Output) {
+			t.Fatalf("Input:\n\n%#v\n\nOutput:\n\n%#v", tc.Input, output)
+		}
 	}
 }