diff --git a/API.md b/API.md
index 008f8d35..b5d1470e 100644
--- a/API.md
+++ b/API.md
@@ -79,6 +79,7 @@ new ECRDeployment(scope: Construct, id: string, props: ECRDeploymentProps)
   * **environment** (<code>Map<string, string></code>)  The environment variable to set. __*Optional*__
   * **memoryLimit** (<code>number</code>)  The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket. __*Default*__: 512
   * **role** (<code>[aws_iam.IRole](#aws-cdk-lib-aws-iam-irole)</code>)  Execution role associated with this function. __*Default*__: A role is automatically created
+  * **securityGroups** (<code>Array<[aws_ec2.SecurityGroup](#aws-cdk-lib-aws-ec2-securitygroup)></code>)  The list of security groups to associate with the Lambda's network interfaces. __*Default*__: If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
   * **vpc** (<code>[aws_ec2.IVpc](#aws-cdk-lib-aws-ec2-ivpc)</code>)  The VPC network to place the deployment lambda handler in. __*Default*__: None
   * **vpcSubnets** (<code>[aws_ec2.SubnetSelection](#aws-cdk-lib-aws-ec2-subnetselection)</code>)  Where in the VPC to place the deployment lambda handler. __*Default*__: the Vpc default strategy if not specified
 
@@ -147,6 +148,7 @@ Name | Type | Description
 **environment**? | <code>Map<string, string></code> | The environment variable to set.<br/>__*Optional*__
 **memoryLimit**? | <code>number</code> | The amount of memory (in MiB) to allocate to the AWS Lambda function which replicates the files from the CDK bucket to the destination bucket.<br/>__*Default*__: 512
 **role**? | <code>[aws_iam.IRole](#aws-cdk-lib-aws-iam-irole)</code> | Execution role associated with this function.<br/>__*Default*__: A role is automatically created
+**securityGroups**? | <code>Array<[aws_ec2.SecurityGroup](#aws-cdk-lib-aws-ec2-securitygroup)></code> | The list of security groups to associate with the Lambda's network interfaces.<br/>__*Default*__: If the function is placed within a VPC and a security group is not specified, either by this or securityGroup prop, a dedicated security group will be created for this function.
 **vpc**? | <code>[aws_ec2.IVpc](#aws-cdk-lib-aws-ec2-ivpc)</code> | The VPC network to place the deployment lambda handler in.<br/>__*Default*__: None
 **vpcSubnets**? | <code>[aws_ec2.SubnetSelection](#aws-cdk-lib-aws-ec2-subnetselection)</code> | Where in the VPC to place the deployment lambda handler.<br/>__*Default*__: the Vpc default strategy if not specified
 
diff --git a/src/index.ts b/src/index.ts
index 08a9b21e..0b208f5d 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -64,6 +64,17 @@ export interface ECRDeploymentProps {
    */
   readonly vpcSubnets?: ec2.SubnetSelection;
 
+  /**
+   * The list of security groups to associate with the Lambda's network interfaces.
+   *
+   * Only used if 'vpc' is supplied.
+   *
+   * @default - If the function is placed within a VPC and a security group is
+   * not specified, either by this or securityGroup prop, a dedicated security
+   * group will be created for this function.
+   */
+  readonly securityGroups?: ec2.SecurityGroup[];
+
   /**
    * The environment variable to set
    */
@@ -138,6 +149,7 @@ export class ECRDeployment extends Construct {
       memorySize: memoryLimit,
       vpc: props.vpc,
       vpcSubnets: props.vpcSubnets,
+      securityGroups: props.securityGroups,
     });
 
     const handlerRole = this.handler.role;