diff --git a/terraform-modules/aws/msk_1.0.9/main.tf b/terraform-modules/aws/msk_1.0.9/main.tf
index 79d0712b8..0553bb520 100644
--- a/terraform-modules/aws/msk_1.0.9/main.tf
+++ b/terraform-modules/aws/msk_1.0.9/main.tf
@@ -144,6 +144,8 @@ module "msk" {
   multi_vpc_connectivity_iam_enabled  = var.multi_vpc_connectivity_iam_enabled
   properties                          = var.properties
   allowed_security_group_ids          = var.allowed_security_group_ids
+  associated_security_group_ids       = var.associated_security_group_ids
+  create_security_group               = var.create_security_group
   depends_on = [
     aws_cloudwatch_log_group.msk_cloudwatch_log_group,
     aws_s3_bucket.this,
diff --git a/terraform-modules/aws/msk_1.0.9/variables.tf b/terraform-modules/aws/msk_1.0.9/variables.tf
index 46d4ae012..13b15291b 100644
--- a/terraform-modules/aws/msk_1.0.9/variables.tf
+++ b/terraform-modules/aws/msk_1.0.9/variables.tf
@@ -117,6 +117,21 @@ variable "allowed_security_group_ids" {
   description = "The security_group_id_list output from the security_groups module"
 }
 
+variable "create_security_group" {
+  type        = bool
+  description = "Set `true` to create and configure a new security group. If false, `associated_security_group_ids` must be provided."
+  default     = true
+}
+
+variable "associated_security_group_ids" {
+  type        = list(string)
+  description = <<-EOT
+    A list of IDs of Security Groups to associate the created resource with, in addition to the created security group.
+    These security groups will not be modified and, if `create_security_group` is `false`, must have rules providing the desired access.
+    EOT
+  default     = []
+}
+
 variable "client_tls_auth_enabled" {
   type        = bool
   description = "Set true to enable the Client TLS Authentication"