diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go
index 14dd572b9..cf4f7c07e 100644
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@@ -195,17 +195,17 @@ func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) er
 
 		// TODO: We need to handle partial state better in the in-between
 		// in this update.
-		if len(add) > 0 {
-			// Authorize the new rules
-			_, err := ec2conn.AuthorizeSecurityGroup(group, add)
+		if len(remove) > 0 {
+			// Revoke the old rules
+			_, err = ec2conn.RevokeSecurityGroup(group, remove)
 			if err != nil {
 				return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
 			}
 		}
 
-		if len(remove) > 0 {
-			// Revoke the old rules
-			_, err = ec2conn.RevokeSecurityGroup(group, remove)
+		if len(add) > 0 {
+			// Authorize the new rules
+			_, err := ec2conn.AuthorizeSecurityGroup(group, add)
 			if err != nil {
 				return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
 			}
diff --git a/builtin/providers/aws/resource_aws_security_group_test.go b/builtin/providers/aws/resource_aws_security_group_test.go
index 8e86547cf..281be7a68 100644
--- a/builtin/providers/aws/resource_aws_security_group_test.go
+++ b/builtin/providers/aws/resource_aws_security_group_test.go
@@ -240,9 +240,9 @@ func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroupInfo)
 			},
 			ec2.IPPerm{
 				FromPort:  80,
-				ToPort:    1234,
+				ToPort:    8000,
 				Protocol:  "tcp",
-				SourceIPs: []string{"10.0.0.0/8"},
+				SourceIPs: []string{"0.0.0.0/0", "10.0.0.0/8"},
 			},
 		}
 
@@ -262,7 +262,7 @@ func testAccCheckAWSSecurityGroupAttributesChanged(group *ec2.SecurityGroupInfo)
 				p)
 		}
 
-		if group.IPPerms[0].ToPort == 1234 {
+		if group.IPPerms[0].ToPort == 8000 {
 			group.IPPerms[1], group.IPPerms[0] =
 				group.IPPerms[0], group.IPPerms[1]
 		}
@@ -307,8 +307,8 @@ resource "aws_security_group" "web" {
     ingress {
         protocol = "tcp"
         from_port = 80
-        to_port = 1234
-        cidr_blocks = ["10.0.0.0/8"]
+        to_port = 8000
+        cidr_blocks = ["10.0.0.0/8", "0.0.0.0/0"]
     }
 }
 `