diff --git a/packages/@aws-cdk/aws-ec2/lib/security-group.ts b/packages/@aws-cdk/aws-ec2/lib/security-group.ts
index c56a6b9dd34d1..90613e3904475 100644
--- a/packages/@aws-cdk/aws-ec2/lib/security-group.ts
+++ b/packages/@aws-cdk/aws-ec2/lib/security-group.ts
@@ -463,7 +463,9 @@ export class SecurityGroup extends SecurityGroupBase {
       // In the case of "allowAllOutbound", we don't add any more rules. There
       // is only one rule which allows all traffic and that subsumes any other
       // rule.
-      Annotations.of(this).addWarning('Ignoring Egress rule since \'allowAllOutbound\' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup');
+      if (!remoteRule) { // Warn only if addEgressRule() was explicitely called
+        Annotations.of(this).addWarning('Ignoring Egress rule since \'allowAllOutbound\' is set to true; To add customize rules, set allowAllOutbound=false on the SecurityGroup');
+      }
       return;
     } else {
       // Otherwise, if the bogus rule exists we can now remove it because the