You'll eventually run into circular dependency issues when configuring security groups using CloudFormation. Let's say you want all servers in our ExampleEC2InstanceSecurityGroup to be able to access each other on port 22 (SSH). In order to achieve this, you would need to add this rule as the separate resource type AWS::EC2::SecurityGroupIngress. This is because a security group can't refer to itself in CloudFormation when it is yet to be created. This is what the extra resource type looks like:

      ExampleEC2InstanceIngress: 
        Type: AWS::EC2::SecurityGroupIngress 
        Properties: 
          IpProtocol: tcp 
          SourceSecurityGroupName: 
            Ref: ExampleEC2InstanceSecurityGroup 
          GroupName: 
            Ref: ExampleEC2InstanceSecurityGroup 
          FromPort: 22 
          ToPort: 22