diff --git a/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts b/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts
index 96ddbd5dbefae..71033b4d25955 100644
--- a/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts
+++ b/packages/@aws-cdk/aws-ec2/lib/security-group-rule.ts
@@ -105,7 +105,7 @@ export class AnyIPv6 extends CidrIPv6 {
  * https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
  */
 export class PrefixList implements ISecurityGroupRule, IConnectable {
-  public readonly canInlineRule = true;
+  public readonly canInlineRule = false;
   public readonly connections: Connections = new Connections({ securityGroupRule: this });
   public readonly uniqueId: string;
 
@@ -114,7 +114,7 @@ export class PrefixList implements ISecurityGroupRule, IConnectable {
   }
 
   public toIngressRuleJSON(): any {
-    throw new Error('Prefix lists can only be used for egress rules');
+    return { sourcePrefixListId: this.prefixListId };
   }
 
   public toEgressRuleJSON(): any {
diff --git a/packages/@aws-cdk/aws-ec2/test/test.security-group.ts b/packages/@aws-cdk/aws-ec2/test/test.security-group.ts
index 0219f16350f7f..2f4dd54eef80c 100644
--- a/packages/@aws-cdk/aws-ec2/test/test.security-group.ts
+++ b/packages/@aws-cdk/aws-ec2/test/test.security-group.ts
@@ -165,6 +165,7 @@ export = {
     for (const peer of peers) {
       for (const port of ports) {
         sg.connections.allowTo(peer, port);
+        sg.connections.allowFrom(peer, port);
       }
     }