diff --git a/lib/aws/idl/ec2/instance.go b/lib/aws/idl/ec2/instance.go
index c0218350d..bff8c38d1 100644
--- a/lib/aws/idl/ec2/instance.go
+++ b/lib/aws/idl/ec2/instance.go
@@ -28,7 +28,7 @@ type Instance struct {
 	// The instance type, such as t2.micro. The default type is "m3.medium".
 	InstanceType *InstanceType `lumi:"instanceType,optional"`
 	// A list that contains the Amazon EC2 security groups to assign to the Amazon EC2 instance.
-	SecurityGroups *[]*SecurityGroup `lumi:"securityGroups,optional"`
+	SecurityGroups *[]*SecurityGroup `lumi:"securityGroups,optional,replaces"`
 	// Provides the name of the Amazon EC2 key pair.
 	KeyName *string `lumi:"keyName,optional"`
 
diff --git a/lib/aws/pack/ec2/instance.ts b/lib/aws/pack/ec2/instance.ts
index ce5fc80e3..2342f8da0 100644
--- a/lib/aws/pack/ec2/instance.ts
+++ b/lib/aws/pack/ec2/instance.ts
@@ -67,7 +67,7 @@ export class Instance extends lumi.Resource implements InstanceArgs {
     public readonly name: string;
     public imageId: string;
     public instanceType?: InstanceType;
-    public securityGroups?: SecurityGroup[];
+    public readonly securityGroups?: SecurityGroup[];
     public keyName?: string;
     @lumi.out public availabilityZone: string;
     @lumi.out public privateDNSName?: string;
@@ -94,7 +94,7 @@ export class Instance extends lumi.Resource implements InstanceArgs {
 export interface InstanceArgs {
     imageId: string;
     instanceType?: InstanceType;
-    securityGroups?: SecurityGroup[];
+    readonly securityGroups?: SecurityGroup[];
     keyName?: string;
 }
 
diff --git a/lib/aws/provider/ec2/instance.go b/lib/aws/provider/ec2/instance.go
index eb5757b06..2c713841a 100644
--- a/lib/aws/provider/ec2/instance.go
+++ b/lib/aws/provider/ec2/instance.go
@@ -174,7 +174,7 @@ func (p *instanceProvider) Get(ctx context.Context, id resource.ID) (*ec2.Instan
 // InspectChange checks what impacts a hypothetical update will have on the resource's properties.
 func (p *instanceProvider) InspectChange(ctx context.Context, id resource.ID,
 	old *ec2.Instance, new *ec2.Instance, diff *resource.ObjectDiff) ([]string, error) {
-	// TODO: we should permit changes to security groups for non-EC2-classic VMs that are in VPCs.
+	// TODO[pulumi/lumi#187]: we should permit changes to security groups for non-EC2-classic VMs that are in VPCs.
 	return nil, nil
 }
 
diff --git a/lib/aws/rpc/ec2/instance.go b/lib/aws/rpc/ec2/instance.go
index acc61b5b7..f764347dd 100644
--- a/lib/aws/rpc/ec2/instance.go
+++ b/lib/aws/rpc/ec2/instance.go
@@ -123,6 +123,9 @@ func (p *InstanceProvider) InspectChange(
         if diff.Changed("name") {
             replaces = append(replaces, "name")
         }
+        if diff.Changed("securityGroups") {
+            replaces = append(replaces, "securityGroups")
+        }
     }
     more, err := p.ops.InspectChange(ctx, id, old, new, diff)
     if err != nil {