diff --git a/internal/service/ds/directory.go b/internal/service/ds/directory.go
index 14ecb7df4a4..54e3c5f12d2 100644
--- a/internal/service/ds/directory.go
+++ b/internal/service/ds/directory.go
@@ -319,7 +319,14 @@ func resourceDirectoryRead(ctx context.Context, d *schema.ResourceData, meta int
 	if aws.StringValue(dir.Type) == directoryservice.DirectoryTypeAdconnector {
 		d.Set("security_group_id", dir.ConnectSettings.SecurityGroupId)
 	} else {
-		d.Set("security_group_id", dir.VpcSettings.SecurityGroupId)
+		/* CLOUD-1547: we encountered environments where VpcSettings was nil.
+		 * In this case, `ConnectSettings.SecurityGroupId` _was_ set, so in
+		 * order to read the attribute we just try both but check for nil first. */
+		if dir.VpcSettings != nil {
+			d.Set("security_group_id", dir.VpcSettings.SecurityGroupId)
+		} else if dir.ConnectSettings != nil {
+			d.Set("security_group_id", dir.ConnectSettings.SecurityGroupId)
+		}
 	}
 	d.Set("short_name", dir.ShortName)
 	d.Set("size", dir.Size)