diff --git a/builtin/providers/aws/import_aws_security_group.go b/builtin/providers/aws/import_aws_security_group.go
index 88cbb12a6..d710169dd 100644
--- a/builtin/providers/aws/import_aws_security_group.go
+++ b/builtin/providers/aws/import_aws_security_group.go
@@ -49,6 +49,34 @@ func resourceAwsSecurityGroupImportState(
 			d.SetType("aws_security_group_rule")
 			d.Set("security_group_id", sgId)
 			d.Set("type", ruleType)
+
+			// 'self' is false by default. Below, we range over the group ids and set true
+			// if the parent sg id is found
+			d.Set("self", false)
+
+			if len(perm.UserIdGroupPairs) > 0 {
+				s := perm.UserIdGroupPairs[0]
+
+				// Check for Pair that is the same as the Security Group, to denote self.
+				// Otherwise, mark the group id in source_security_group_id
+				isVPC := sg.VpcId != nil && *sg.VpcId != ""
+				if isVPC {
+					if *s.GroupId == *sg.GroupId {
+						d.Set("self", true)
+						// prune the self reference from the UserIdGroupPairs, so we don't
+						// have duplicate sg ids (both self and in source_security_group_id)
+						perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
+					}
+				} else {
+					if *s.GroupName == *sg.GroupName {
+						d.Set("self", true)
+						// prune the self reference from the UserIdGroupPairs, so we don't
+						// have duplicate sg ids (both self and in source_security_group_id)
+						perm.UserIdGroupPairs = append(perm.UserIdGroupPairs[:0], perm.UserIdGroupPairs[0+1:]...)
+					}
+				}
+			}
+
 			// XXX If the rule contained more than one source security group, this
 			// will choose one of them. We actually need to create one rule for each
 			// source security group.
diff --git a/builtin/providers/aws/resource_aws_security_group_rule.go b/builtin/providers/aws/resource_aws_security_group_rule.go
index d170b3d20..ef34e9122 100644
--- a/builtin/providers/aws/resource_aws_security_group_rule.go
+++ b/builtin/providers/aws/resource_aws_security_group_rule.go
@@ -498,7 +498,6 @@ func expandIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup) (*ec2.IpPermiss
 	}
 
 	if v, ok := d.GetOk("self"); ok && v.(bool) {
-		// if sg.GroupId != nil {
 		if sg.VpcId != nil && *sg.VpcId != "" {
 			groups[*sg.GroupId] = true
 		} else {
@@ -574,10 +573,6 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
 
 	d.Set("cidr_blocks", cb)
 
-	// 'self' is false by default. Below, we range over the group ids and set true
-	// if the parent sg id is found
-	d.Set("self", false)
-
 	var pl []string
 	for _, p := range rule.PrefixListIds {
 		pl = append(pl, *p.PrefixListId)
@@ -587,17 +582,9 @@ func setFromIPPerm(d *schema.ResourceData, sg *ec2.SecurityGroup, rule *ec2.IpPe
 	if len(rule.UserIdGroupPairs) > 0 {
 		s := rule.UserIdGroupPairs[0]
 
-		// Check for Pair that is the same as the Security Group, to denote self.
-		// Otherwise, mark the group id in source_security_group_id
 		if isVPC {
-			if *s.GroupId == *sg.GroupId {
-				d.Set("self", true)
-			}
 			d.Set("source_security_group_id", *s.GroupId)
 		} else {
-			if *s.GroupName == *sg.GroupName {
-				d.Set("self", true)
-			}
 			d.Set("source_security_group_id", *s.GroupName)
 		}
 	}
diff --git a/builtin/providers/aws/resource_aws_security_group_rule_test.go b/builtin/providers/aws/resource_aws_security_group_rule_test.go
index 4dbaec474..045a0731e 100644
--- a/builtin/providers/aws/resource_aws_security_group_rule_test.go
+++ b/builtin/providers/aws/resource_aws_security_group_rule_test.go
@@ -416,6 +416,24 @@ func TestAccAWSSecurityGroupRule_Race(t *testing.T) {
 	})
 }
 
+func TestAccAWSSecurityGroupRule_SelfSource(t *testing.T) {
+	var group ec2.SecurityGroup
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSecurityGroupRuleDestroy,
+		Steps: []resource.TestStep{
+			resource.TestStep{
+				Config: testAccAWSSecurityGroupRuleSelfInSource,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSecurityGroupRuleExists("aws_security_group.web", &group),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSSecurityGroupRule_PrefixListEgress(t *testing.T) {
 	var group ec2.SecurityGroup
 	var endpoint ec2.VpcEndpoint
@@ -1001,3 +1019,28 @@ resource "aws_security_group_rule" "egress_1" {
 	security_group_id = "${aws_security_group.egress.id}"
 }
 `
+
+const testAccAWSSecurityGroupRuleSelfInSource = `
+resource "aws_vpc" "foo" {
+  cidr_block = "10.1.0.0/16"
+
+  tags {
+    Name = "tf_sg_rule_self_group"
+  }
+}
+
+resource "aws_security_group" "web" {
+  name        = "allow_all"
+  description = "Allow all inbound traffic"
+  vpc_id      = "${aws_vpc.foo.id}"
+}
+
+resource "aws_security_group_rule" "allow_self" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 0
+  protocol                 = "-1"
+  security_group_id        = "${aws_security_group.web.id}"
+  source_security_group_id = "${aws_security_group.web.id}"
+}
+`