You'll eventually run into circular dependency issues when configuring security groups using CloudFormation. Let's say you want all the servers in ExampleEC2InstanceSecurityGroup to be able to access each other on port 22 (SSH). To achieve this, you would need to add this rule as the separate resource type, AWS::EC2::SecurityGroupIngress. This is because a security group can't refer to itself in CloudFormation when it hasn't been created yet. This is what the extra resource type looks like:

      ExampleEC2InstanceIngress: 
        Type: AWS::EC2::SecurityGroupIngress 
        Properties: 
          IpProtocol: tcp 
          SourceSecurityGroupName: 
            Ref: ExampleEC2InstanceSecurityGroup 
          GroupName: 
            Ref: ExampleEC2InstanceSecurityGroup 
          FromPort: 22 
          ToPort: 22

Unfortunately, circular dependencies sometimes crop up with CloudFormation, but there is usually an effective workaround.