diff --git a/packages/@aws-cdk/aws-rds/lib/cluster.ts b/packages/@aws-cdk/aws-rds/lib/cluster.ts
index bec077a5283f9..5510bfafebc1c 100644
--- a/packages/@aws-cdk/aws-rds/lib/cluster.ts
+++ b/packages/@aws-cdk/aws-rds/lib/cluster.ts
@@ -151,7 +151,8 @@ export class DatabaseCluster extends cdk.Construct implements IDatabaseCluster {
       subnetIds: subnets.map(s => s.subnetId)
     });
 
-    const securityGroup = new ec2.SecurityGroup(this, 'SecurityGroup', {
+    const securityGroup = props.instanceProps.securityGroup !== undefined ?
+    props.instanceProps.securityGroup : new ec2.SecurityGroup(this, 'SecurityGroup', {
       description: 'RDS security group',
       vpc: props.instanceProps.vpc
     });
diff --git a/packages/@aws-cdk/aws-rds/lib/props.ts b/packages/@aws-cdk/aws-rds/lib/props.ts
index f36afe4521cc6..366260c82791f 100644
--- a/packages/@aws-cdk/aws-rds/lib/props.ts
+++ b/packages/@aws-cdk/aws-rds/lib/props.ts
@@ -30,6 +30,11 @@ export interface InstanceProps {
    * Where to place the instances within the VPC
    */
   vpcPlacement?: ec2.VpcPlacementStrategy;
+
+  /**
+   * Security group. If not specified a new one will be created.
+   */
+  securityGroup?: ec2.ISecurityGroup;
 }
 
 /**
diff --git a/packages/@aws-cdk/aws-rds/test/test.cluster.ts b/packages/@aws-cdk/aws-rds/test/test.cluster.ts
index 9ec072c6aa298..e36c960e30579 100644
--- a/packages/@aws-cdk/aws-rds/test/test.cluster.ts
+++ b/packages/@aws-cdk/aws-rds/test/test.cluster.ts
@@ -89,6 +89,43 @@ export = {
     test.done();
   },
 
+  'can create a cluster with imported vpc and security group'(test: Test) {
+    // GIVEN
+    const stack = testStack();
+    const vpc = ec2.VpcNetwork.importFromContext(stack, 'VPC', {
+      vpcId: "VPC12345"
+    });
+    const sg = ec2.SecurityGroup.import(stack, 'SG', {
+      securityGroupId: "SecurityGroupId12345"
+    });
+
+    // WHEN
+    new DatabaseCluster(stack, 'Database', {
+      engine: DatabaseClusterEngine.Aurora,
+      instances: 1,
+      masterUser: {
+        username: 'admin',
+        password: 'tooshort',
+      },
+      instanceProps: {
+        instanceType: new ec2.InstanceTypePair(ec2.InstanceClass.Burstable2, ec2.InstanceSize.Small),
+        vpc,
+        securityGroup: sg
+      }
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::RDS::DBCluster', {
+      Engine: "aurora",
+      DBSubnetGroupName: { Ref: "DatabaseSubnets56F17B9A" },
+      MasterUsername: "admin",
+      MasterUserPassword: "tooshort",
+      VpcSecurityGroupIds: [ "SecurityGroupId12345" ]
+    }));
+
+    test.done();
+  },
+
   'cluster with parameter group'(test: Test) {
     // GIVEN
     const stack = testStack();