diff --git a/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts b/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts
index c0541da365afa..b7ab7925d8dd5 100644
--- a/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts
+++ b/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts
@@ -318,6 +318,69 @@ export class UdpAllPorts implements IPortRange {
   }
 }
 
+/**
+ * A set of matching ICMP Type & Code
+ */
+export class IcmpTypeAndCode implements IPortRange {
+  public readonly canInlineRule = true;
+
+  constructor(private readonly type: number, private readonly code: number) {
+  }
+
+  public toRuleJSON(): any {
+    return {
+      ipProtocol: Protocol.Icmp,
+      fromPort: this.type,
+      toPort: this.code
+    };
+  }
+
+  public toString() {
+    return `ICMP Type ${this.type} Code ${this.code}`;
+  }
+}
+
+/**
+ * All ICMP Codes for a given ICMP Type
+ */
+export class IcmpAllTypeCodes implements IPortRange {
+  public readonly canInlineRule = true;
+
+  constructor(private readonly type: number) {
+  }
+
+  public toRuleJSON(): any {
+    return {
+      ipProtocol: Protocol.Icmp,
+      fromPort: this.type,
+      toPort: -1
+    };
+  }
+
+  public toString() {
+    return `ICMP Type ${this.type}`;
+  }
+}
+
+/**
+ * All ICMP Types & Codes
+ */
+export class IcmpAllTypesAndCodes implements IPortRange {
+  public readonly canInlineRule = true;
+
+  public toRuleJSON(): any {
+    return {
+      ipProtocol: Protocol.Icmp,
+      fromPort: -1,
+      toPort: -1
+    };
+  }
+
+  public toString() {
+    return 'ALL ICMP';
+  }
+}
+
 /**
  * All Traffic
  */
diff --git a/packages/@aws-cdk/aws-ec2/test/test.connections.ts b/packages/@aws-cdk/aws-ec2/test/test.connections.ts
index de7087f425b64..909328f644f19 100644
--- a/packages/@aws-cdk/aws-ec2/test/test.connections.ts
+++ b/packages/@aws-cdk/aws-ec2/test/test.connections.ts
@@ -1,8 +1,28 @@
 import { expect, haveResource } from '@aws-cdk/assert';
 import { Stack } from '@aws-cdk/cdk';
 import { Test } from 'nodeunit';
-import { AllConnections, AnyIPv4, AnyIPv6, Connections, IConnectable, PrefixList, SecurityGroup, SecurityGroupRef,
-  TcpAllPorts, TcpPort, TcpPortFromAttribute, TcpPortRange, UdpAllPorts, UdpPort, UdpPortFromAttribute, UdpPortRange, VpcNetwork } from '../lib';
+import {
+  AllConnections,
+  AnyIPv4,
+  AnyIPv6,
+  Connections,
+  IcmpAllTypeCodes,
+  IcmpAllTypesAndCodes,
+  IcmpTypeAndCode,
+  IConnectable,
+  PrefixList,
+  SecurityGroup,
+  SecurityGroupRef,
+  TcpAllPorts,
+  TcpPort,
+  TcpPortFromAttribute,
+  TcpPortRange,
+  UdpAllPorts,
+  UdpPort,
+  UdpPortFromAttribute,
+  UdpPortRange,
+  VpcNetwork
+} from "../lib";
 
 export = {
   'peering between two security groups does not recursive infinitely'(test: Test) {
@@ -80,6 +100,9 @@ export = {
       new UdpPortFromAttribute("udp-test-port!"),
       new UdpAllPorts(),
       new UdpPortRange(85, 95),
+      new IcmpTypeAndCode(5, 1),
+      new IcmpAllTypeCodes(8),
+      new IcmpAllTypesAndCodes(),
       new AllConnections()
     ];