diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go
index ab1cb52b9..19d221da8 100644
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@@ -3,7 +3,6 @@ package aws
 import (
 	"fmt"
 	"log"
-	"strings"
 	"time"
 
 	"github.com/hashicorp/terraform/helper/resource"
@@ -16,6 +15,7 @@ func resourceAwsSecurityGroup() *schema.Resource {
 	return &schema.Resource{
 		Create: resourceAwsSecurityGroupCreate,
 		Read:   resourceAwsSecurityGroupRead,
+		Update: resourceAwsSecurityGroupUpdate,
 		Delete: resourceAwsSecurityGroupDelete,
 
 		Schema: map[string]*schema.Schema{
@@ -130,43 +130,7 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 	}
 	ingressList := ingressRaw.([]interface{})
 	if len(ingressList) > 0 {
-		ingressRules := make([]ec2.IPPerm, len(ingressList))
-		for i, mRaw := range ingressList {
-			var perm ec2.IPPerm
-			m := mRaw.(map[string]interface{})
-
-			perm.FromPort = m["from_port"].(int)
-			perm.ToPort = m["to_port"].(int)
-			perm.Protocol = m["protocol"].(string)
-
-			if raw, ok := m["security_groups"]; ok {
-				list := raw.([]interface{})
-				perm.SourceGroups = make([]ec2.UserSecurityGroup, len(list))
-				for i, v := range list {
-					name := v.(string)
-					ownerId, id := "", name
-					if items := strings.Split(id, "/"); len(items) > 1 {
-						ownerId, id = items[0], items[1]
-					}
-
-					perm.SourceGroups[i] = ec2.UserSecurityGroup{
-						Id:      id,
-						OwnerId: ownerId,
-					}
-				}
-			}
-
-			if raw, ok := m["cidr_blocks"]; ok {
-				list := raw.([]interface{})
-				perm.SourceIPs = make([]string, len(list))
-				for i, v := range list {
-					perm.SourceIPs[i] = v.(string)
-				}
-			}
-
-			ingressRules[i] = perm
-		}
-
+		ingressRules := expandIPPerms(ingressList)
 		_, err = ec2conn.AuthorizeSecurityGroup(group, ingressRules)
 		if err != nil {
 			return fmt.Errorf("Error authorizing security group ingress rules: %s", err)
@@ -176,6 +140,10 @@ func resourceAwsSecurityGroupCreate(d *schema.ResourceData, meta interface{}) er
 	return resourceAwsSecurityGroupRead(d, meta)
 }
 
+func resourceAwsSecurityGroupUpdate(d *schema.ResourceData, meta interface{}) error {
+	return nil
+}
+
 func resourceAwsSecurityGroupDelete(d *schema.ResourceData, meta interface{}) error {
 	p := meta.(*ResourceProvider)
 	ec2conn := p.ec2conn
diff --git a/builtin/providers/aws/structure.go b/builtin/providers/aws/structure.go
index e5e2e5eef..0cc196a94 100644
--- a/builtin/providers/aws/structure.go
+++ b/builtin/providers/aws/structure.go
@@ -41,69 +41,45 @@ func expandListeners(configured []interface{}) ([]elb.Listener, error) {
 
 // Takes the result of flatmap.Expand for an array of ingress/egress
 // security group rules and returns EC2 API compatible objects
-func expandIPPerms(configured []interface{}) ([]ec2.IPPerm, error) {
-	perms := make([]ec2.IPPerm, 0, len(configured))
+func expandIPPerms(configured []interface{}) []ec2.IPPerm {
+	perms := make([]ec2.IPPerm, len(configured))
+	for i, mRaw := range configured {
+		var perm ec2.IPPerm
+		m := mRaw.(map[string]interface{})
 
-	// Loop over our configured permissions and create
-	// an array of goamz/ec2 compatabile objects
-	for _, perm := range configured {
-		// Our permission object
-		newP := perm.(map[string]interface{})
+		perm.FromPort = m["from_port"].(int)
+		perm.ToPort = m["to_port"].(int)
+		perm.Protocol = m["protocol"].(string)
 
-		// Our new returned goamz compatible permission
-		p := ec2.IPPerm{}
-
-		// Ports
-		if attr, ok := newP["from_port"].(string); ok {
-			fromPort, err := strconv.Atoi(attr)
-			if err != nil {
-				return nil, err
-			}
-			p.FromPort = fromPort
-		}
-
-		if attr, ok := newP["to_port"].(string); ok {
-			toPort, err := strconv.Atoi(attr)
-			if err != nil {
-				return nil, err
-			}
-			p.ToPort = toPort
-		}
-
-		if attr, ok := newP["protocol"].(string); ok {
-			p.Protocol = attr
-		}
-
-		// Loop over the array of sg ids and built
-		// compatibile goamz objects
-		if secGroups, ok := newP["security_groups"].([]interface{}); ok {
-			expandedGroups := []ec2.UserSecurityGroup{}
-			gs := expandStringList(secGroups)
-
-			for _, g := range gs {
-				ownerId, id := "", g
-				if items := strings.Split(g, "/"); len(items) > 1 {
+		if raw, ok := m["security_groups"]; ok {
+			list := raw.([]interface{})
+			perm.SourceGroups = make([]ec2.UserSecurityGroup, len(list))
+			for i, v := range list {
+				name := v.(string)
+				ownerId, id := "", name
+				if items := strings.Split(id, "/"); len(items) > 1 {
 					ownerId, id = items[0], items[1]
 				}
-				newG := ec2.UserSecurityGroup{
-					Id: id,
+
+				perm.SourceGroups[i] = ec2.UserSecurityGroup{
+					Id:      id,
 					OwnerId: ownerId,
 				}
-				expandedGroups = append(expandedGroups, newG)
 			}
-
-			p.SourceGroups = expandedGroups
 		}
 
-		// Expand CIDR blocks
-		if cidrBlocks, ok := newP["cidr_blocks"].([]interface{}); ok {
-			p.SourceIPs = expandStringList(cidrBlocks)
+		if raw, ok := m["cidr_blocks"]; ok {
+			list := raw.([]interface{})
+			perm.SourceIPs = make([]string, len(list))
+			for i, v := range list {
+				perm.SourceIPs[i] = v.(string)
+			}
 		}
 
-		perms = append(perms, p)
+		perms[i] = perm
 	}
 
-	return perms, nil
+	return perms
 }
 
 // Flattens an array of ipPerms into a list of primitives that
diff --git a/builtin/providers/aws/structure_test.go b/builtin/providers/aws/structure_test.go
index 776f40398..2d3cbb47f 100644
--- a/builtin/providers/aws/structure_test.go
+++ b/builtin/providers/aws/structure_test.go
@@ -33,12 +33,20 @@ func testConf() map[string]string {
 }
 
 func Test_expandIPPerms(t *testing.T) {
-	expanded := flatmap.Expand(testConf(), "ingress").([]interface{})
-	perms, err := expandIPPerms(expanded)
-
-	if err != nil {
-		t.Fatalf("bad: %#v", err)
+	expanded := []interface{}{
+		map[string]interface{}{
+			"protocol":    "icmp",
+			"from_port":   1,
+			"to_port":     -1,
+			"cidr_blocks": []interface{}{"0.0.0.0/0"},
+			"security_groups": []interface{}{
+				"sg-11111",
+				"foo/sg-22222",
+			},
+		},
 	}
+	perms := expandIPPerms(expanded)
+
 	expected := ec2.IPPerm{
 		Protocol:  "icmp",
 		FromPort:  1,
@@ -50,56 +58,7 @@ func Test_expandIPPerms(t *testing.T) {
 			},
 			ec2.UserSecurityGroup{
 				OwnerId: "foo",
-				Id: "sg-22222",
-			},
-		},
-	}
-
-	if !reflect.DeepEqual(perms[0], expected) {
-		t.Fatalf(
-			"Got:\n\n%#v\n\nExpected:\n\n%#v\n",
-			perms[0],
-			expected)
-	}
-
-}
-
-func Test_expandIPPerms_bad(t *testing.T) {
-	badConf := map[string]string{
-		"ingress.#":           "1",
-		"ingress.0.from_port": "not number",
-	}
-
-	expanded := flatmap.Expand(badConf, "ingress").([]interface{})
-	perms, err := expandIPPerms(expanded)
-
-	if err == nil {
-		t.Fatalf("should have err: %#v", perms)
-	}
-}
-
-func Test_expandIPPerms_NoCidr(t *testing.T) {
-	conf := testConf()
-	delete(conf, "ingress.0.cidr_blocks.#")
-	delete(conf, "ingress.0.cidr_blocks.0")
-
-	expanded := flatmap.Expand(conf, "ingress").([]interface{})
-	perms, err := expandIPPerms(expanded)
-
-	if err != nil {
-		t.Fatalf("bad: %#v", err)
-	}
-	expected := ec2.IPPerm{
-		Protocol: "icmp",
-		FromPort: 1,
-		ToPort:   -1,
-		SourceGroups: []ec2.UserSecurityGroup{
-			ec2.UserSecurityGroup{
-				Id: "sg-11111",
-			},
-			ec2.UserSecurityGroup{
-				OwnerId: "foo",
-				Id: "sg-22222",
+				Id:      "sg-22222",
 			},
 		},
 	}