Creating/Importing a VPC Endpoint only allows for specifying a single SecurityGroup to associate with the VPCe

[KingOfPoptart]

Creating a VPC Endpoint does not have any options for specifying SecurityGroups to associate with the InterfaceVpcEndpoint

export interface InterfaceVpcEndpointProps extends InterfaceVpcEndpointOptions {
    /**
     * The VPC network in which the interface endpoint will be used.
     */
    readonly vpc: IVpc;
}

export interface InterfaceVpcEndpointOptions {
    /**
     * The service to use for this interface VPC endpoint.
     */
    readonly service: IInterfaceVpcEndpointService;
    /**
     * Whether to associate a private hosted zone with the specified VPC. This
     * allows you to make requests to the service using its default DNS hostname.
     *
     * @default true
     */
    readonly privateDnsEnabled?: boolean;
    /**
     * The subnets in which to create an endpoint network interface. At most one
     * per availability zone.
     *
     * @default private subnets
     */
    readonly subnets?: SubnetSelection;
}

The properties object to import a VPCEndpoint set up only takes in a single security group

/**
 * Construction properties for an ImportedInterfaceVpcEndpoint.
 */
export interface InterfaceVpcEndpointAttributes {
    /**
     * The interface VPC endpoint identifier.
     */
    readonly vpcEndpointId: string;
    /**
     * The identifier of the security group associated with the interface VPC endpoint.
     */
    readonly securityGroupId: string;
    /**
     * The port of the service of the interface VPC endpoint.
     */
    readonly port: number;
}

CFN supports specifying multiple SecurityGroups -
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html

[renrut]

I'm not extremely familiar with CDK paradigms, but it seems like it'd be more CDK style to hold reference to the actual securityGroup(s) object as well rather than the securityGroupId(s).