diff --git a/packages/@aws-cdk/cloudformation-diff/lib/network/security-group-rule.ts b/packages/@aws-cdk/cloudformation-diff/lib/network/security-group-rule.ts
index fda8cb0404d25..4992dffc77c76 100644
--- a/packages/@aws-cdk/cloudformation-diff/lib/network/security-group-rule.ts
+++ b/packages/@aws-cdk/cloudformation-diff/lib/network/security-group-rule.ts
@@ -28,7 +28,7 @@ export class SecurityGroupRule {
   public readonly peer?: RulePeer;
 
   constructor(ruleObject: any, groupRef?: string) {
-    this.ipProtocol = ruleObject.IpProtocol || '*unknown*';
+    this.ipProtocol = ruleObject.IpProtocol?.toString() || '*unknown*';
     this.fromPort = ruleObject.FromPort;
     this.toPort = ruleObject.ToPort;
     this.groupId = ruleObject.GroupId || groupRef || '*unknown*'; // In case of an inline rule
diff --git a/packages/@aws-cdk/cloudformation-diff/test/network/rule.test.ts b/packages/@aws-cdk/cloudformation-diff/test/network/rule.test.ts
index 234eb3ebd7c99..4d46501e85739 100644
--- a/packages/@aws-cdk/cloudformation-diff/test/network/rule.test.ts
+++ b/packages/@aws-cdk/cloudformation-diff/test/network/rule.test.ts
@@ -74,3 +74,12 @@ test('equality is symmetric', () => {
     },
   ));
 });
+
+test('can describe protocol', () => {
+  expect(new SecurityGroupRule({ IpProtocol: -1 }).describeProtocol()).toEqual('Everything');
+  expect(new SecurityGroupRule({ IpProtocol: '-1' }).describeProtocol()).toEqual('Everything');
+  expect(new SecurityGroupRule({ FromPort: -1 }).describeProtocol()).toEqual('All *UNKNOWN*');
+  expect(new SecurityGroupRule({ IpProtocol: 'tcp', FromPort: -1, ToPort: -1 }).describeProtocol()).toEqual('All TCP');
+  expect(new SecurityGroupRule({ IpProtocol: 'tcp', FromPort: 10, ToPort: 20 }).describeProtocol()).toEqual('TCP 10-20');
+  expect(new SecurityGroupRule({ IpProtocol: 'tcp', FromPort: 10, ToPort: 10 }).describeProtocol()).toEqual('TCP 10');
+});
\ No newline at end of file