diff --git a/packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts b/packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts
index 5d782dfb6bc49..f4d8ec7d2f4e2 100644
--- a/packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts
+++ b/packages/aws-cdk-lib/aws-s3-deployment/lib/bucket-deployment.ts
@@ -258,6 +258,13 @@ export interface BucketDeploymentProps {
    */
   readonly vpcSubnets?: ec2.SubnetSelection;
 
+  /**
+   * Security group to use with the vpc and subnet.
+   *
+   * @default - the Vpc default strategy if not specified
+   */
+  readonly securityGroups?: ec2.SecurityGroup[];
+
   /**
    * If set to true, uploads will precompute the value of `x-amz-content-sha256`
    * and include it in the signed S3 request headers.
@@ -345,6 +352,7 @@ export class BucketDeployment extends Construct {
       ephemeralStorageSize: props.ephemeralStorageSize,
       vpc: props.vpc,
       vpcSubnets: props.vpcSubnets,
+      securityGroups: props.securityGroups,
       filesystem: accessPoint ? lambda.FileSystem.fromEfsAccessPoint(
         accessPoint,
         mountPath,
diff --git a/packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts b/packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts
index 34801b97bb58b..fa0457eca0df5 100644
--- a/packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts
+++ b/packages/aws-cdk-lib/aws-s3-deployment/test/bucket-deployment.test.ts
@@ -1090,7 +1090,7 @@ test('deployment allows vpc to be implicitly supplied to lambda', () => {
   });
 });
 
-test('deployment allows vpc and subnets to be implicitly supplied to lambda', () => {
+test('deployment allows vpc, subnets and security groups to be explicitly supplied to lambda', () => {
 
   // GIVEN
   const stack = new cdk.Stack();
@@ -1101,6 +1101,14 @@ test('deployment allows vpc and subnets to be implicitly supplied to lambda', ()
     availabilityZone: vpc.availabilityZones[0],
     cidrBlock: vpc.vpcCidrBlock,
   });
+  const sg: ec2.SecurityGroup[] = [
+    new ec2.SecurityGroup(stack, 'sg1', {
+      vpc,
+      allowAllOutbound: false,
+      description: 'custom security group',
+      securityGroupName: 'controlled egress',
+    }),
+  ];
 
   // WHEN
   new s3deploy.BucketDeployment(stack, 'DeployWithVpc2', {
@@ -1110,6 +1118,7 @@ test('deployment allows vpc and subnets to be implicitly supplied to lambda', ()
     vpcSubnets: {
       availabilityZones: [vpc.availabilityZones[0]],
     },
+    securityGroups: sg,
   });
 
   // THEN
@@ -1118,7 +1127,7 @@ test('deployment allows vpc and subnets to be implicitly supplied to lambda', ()
       SecurityGroupIds: [
         {
           'Fn::GetAtt': [
-            'CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756Cc8a39596cb8641929fcf6a288bc9db5ab7b0f656adSecurityGroup11274779',
+            'sg15CEFF4E3',
             'GroupId',
           ],
         },