diff --git a/pkg/apis/kops/bastion.go b/pkg/apis/kops/bastion.go
index 51023976bb..b8723b02e4 100644
--- a/pkg/apis/kops/bastion.go
+++ b/pkg/apis/kops/bastion.go
@@ -20,4 +20,10 @@ type BastionSpec struct {
 	BastionPublicName string `json:"bastionPublicName,omitempty"`
 	// IdleTimeoutSeconds is the bastion's Loadbalancer idle timeout
 	IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
+
+	LoadBalancer *BastionLoadBalancerSpec `json:"loadBalancer,omitempty"`
+}
+
+type BastionLoadBalancerSpec struct {
+	AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
 }
diff --git a/pkg/apis/kops/v1alpha2/bastion.go b/pkg/apis/kops/v1alpha2/bastion.go
index a0fe839595..b4197d12e1 100644
--- a/pkg/apis/kops/v1alpha2/bastion.go
+++ b/pkg/apis/kops/v1alpha2/bastion.go
@@ -19,5 +19,10 @@ package v1alpha2
 type BastionSpec struct {
 	BastionPublicName string `json:"bastionPublicName,omitempty"`
 	// IdleTimeoutSeconds is the bastion's Loadbalancer idle timeout
-	IdleTimeoutSeconds *int64 `json:"idleTimeoutSeconds,omitempty"`
+	IdleTimeoutSeconds *int64                   `json:"idleTimeoutSeconds,omitempty"`
+	LoadBalancer       *BastionLoadBalancerSpec `json:"loadBalancer,omitempty"`
+}
+
+type BastionLoadBalancerSpec struct {
+	AdditionalSecurityGroups []string `json:"additionalSecurityGroups,omitempty"`
 }
diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go
index 863a6e8274..20c495a674 100644
--- a/pkg/model/bastion.go
+++ b/pkg/model/bastion.go
@@ -244,6 +244,21 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 
 			Tags: tags,
 		}
+		// Add additional security groups to the ELB
+		if b.Cluster.Spec.Topology != nil && b.Cluster.Spec.Topology.Bastion != nil && b.Cluster.Spec.Topology.Bastion.LoadBalancer != nil && b.Cluster.Spec.Topology.Bastion.LoadBalancer.AdditionalSecurityGroups != nil {
+			for _, id := range b.Cluster.Spec.Topology.Bastion.LoadBalancer.AdditionalSecurityGroups {
+				t := &awstasks.SecurityGroup{
+					Name:      fi.String(id),
+					Lifecycle: b.SecurityLifecycle,
+					ID:        fi.String(id),
+					Shared:    fi.Bool(true),
+				}
+				if err := c.EnsureTask(t); err != nil {
+					return err
+				}
+				elb.SecurityGroups = append(elb.SecurityGroups, t)
+			}
+		}
 
 		c.AddTask(elb)
 	}