diff --git a/examples/vpc-example/init.pp b/examples/vpc-example/init.pp
index dd3c2222..c00dbdff 100644
--- a/examples/vpc-example/init.pp
+++ b/examples/vpc-example/init.pp
@@ -14,6 +14,19 @@
   }],
 }
 
+ec2_securitygroup { 'sample-vpc::default':
+  ensure      => present,
+  region      => 'sa-east-1',
+  description => 'default VPC security group',
+  ingress     => [{
+    protocol => 'tcp',
+    port     => 22,
+    cidr     => '0.0.0.0/0'
+  },{
+    security_group => 'default',
+  }],
+}
+
 ec2_vpc_subnet { 'sample-subnet':
   ensure            => present,
   region            => 'sa-east-1',
diff --git a/lib/puppet/provider/ec2_securitygroup/v2.rb b/lib/puppet/provider/ec2_securitygroup/v2.rb
index 414167e5..5874558d 100644
--- a/lib/puppet/provider/ec2_securitygroup/v2.rb
+++ b/lib/puppet/provider/ec2_securitygroup/v2.rb
@@ -69,9 +69,12 @@ def self.security_group_to_hash(region, group)
         vpc_name_tag ? vpc_name_tag.value : nil
       end
     end
+    name = group[:group_name]
+    name = "#{vpc_name}::#{name}" if vpc_name && name == 'default'
     {
       id: group.group_id,
-      name: group[:group_name],
+      name: name,
+      group_name: group[:group_name],
       id: group[:group_id],
       description: group[:description],
       ensure: :present,
diff --git a/lib/puppet/type/ec2_securitygroup.rb b/lib/puppet/type/ec2_securitygroup.rb
index f89c311d..63f05c6e 100644
--- a/lib/puppet/type/ec2_securitygroup.rb
+++ b/lib/puppet/type/ec2_securitygroup.rb
@@ -5,13 +5,19 @@
 
   ensurable
 
-  newparam(:name, namevar: true) do
-    desc 'the name of the security group'
+  newparam(:name) do
+    desc 'the name of the security group resource'
+    isnamevar
     validate do |value|
       fail Puppet::Error, 'Security groups must have a name' if value == ''
     end
   end
 
+  newparam(:group_name) do
+    desc 'the name of the security group'
+    isnamevar
+  end
+
   newproperty(:region) do
     desc 'the region in which to launch the security group'
     validate do |value|
@@ -53,6 +59,7 @@ def stringify_values(rules)
 
   newproperty(:vpc) do
     desc 'A VPC to which the group should be associated'
+    isnamevar
   end
 
   def should_autorequire?(rule)
@@ -70,4 +77,25 @@ def should_autorequire?(rule)
   autorequire(:ec2_vpc) do
     self[:vpc]
   end
+
+  # When you create a VPC you automatically get a security group called default. You can't change the name.
+  # This lack of uniqueness makes managing these default security groups difficult. Enter a composite namevar.
+  # We support two name formats:
+  #
+  #   1. {some-security-group}
+  #   2. {some-vpc-name}::default
+  #
+  # Note that we only support prefixing a security group name with the vpc name for the default security group
+  # at this point. This avoids the issue of otherwise needing to store the resources in two places for non-default
+  # VPC security groups.
+  #
+  # In the case of a a default security group, we maintain the full name (including the VPC name) in the name property
+  # as otherwise it won't be unique and uniqueness and composite namevars are fun.
+  def self.title_patterns
+    [
+      [ /^(([\w\-]+)::(default))$/, [ [ :name, lambda {|x| x} ], [ :vpc, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ],
+      [ /^((.*))$/, [ [ :name, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ]
+    ]
+  end
+
 end