diff --git a/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts b/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts
index 7bdff04787599..d4193aac5834d 100644
--- a/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts
+++ b/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts
@@ -765,8 +765,10 @@ export interface ClusterAttributes {
 
   /**
    * The security groups associated with the container instances registered to the cluster.
+   *
+   * @default - no security groups
    */
-  readonly securityGroups: ec2.ISecurityGroup[];
+  readonly securityGroups?: ec2.ISecurityGroup[];
 
   /**
    * Specifies whether the cluster has EC2 instance capacity.
diff --git a/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts b/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts
index 36accbb9af31b..60af60677adfb 100644
--- a/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts
+++ b/packages/aws-cdk-lib/aws-ecs/test/cluster.test.ts
@@ -1374,6 +1374,20 @@ describe('cluster', () => {
 
   });
 
+  test('Security groups are optonal for imported clusters', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Vpc');
+
+    const cluster = ecs.Cluster.fromClusterAttributes(stack, 'Cluster', {
+      clusterName: 'cluster-name',
+      vpc,
+    });
+
+    // THEN
+    expect(cluster.connections.securityGroups).toEqual([]);
+  });
+
   test('Metric', () => {
     // GIVEN
     const stack = new cdk.Stack();