diff --git a/sahara/service/heat/templates.py b/sahara/service/heat/templates.py
index dfb6ecc2ab..030bc1aeaf 100644
--- a/sahara/service/heat/templates.py
+++ b/sahara/service/heat/templates.py
@@ -32,6 +32,8 @@ LOG = logging.getLogger(__name__)
 SSH_PORT = 22
 INSTANCE_RESOURCE_NAME = "inst"
 SERVER_GROUP_PARAM_NAME = "servgroup"
+AUTO_SECURITY_GROUP_PARAM_NAME = "autosecgroup"
+
 # TODO(vgridnev): Using insecure flag until correct way to pass certificate
 # will be invented
 WAIT_CONDITION_SCRIPT_TEMPLATE = '''
@@ -215,6 +217,9 @@ class ClusterStack(object):
         for ng in self.cluster.node_groups:
             resources.update(self._serialize_ng_group(ng, outputs))
 
+        for ng in self.cluster.node_groups:
+            resources.update(self._serialize_auto_security_group(ng))
+
         return resources
 
     def _serialize_ng_group(self, ng, outputs):
@@ -224,9 +229,15 @@ class ClusterStack(object):
         outputs[ng.name + "-instances"] = {
             "value": {"get_attr": [ng.name, "instance"]}}
         properties = {"instance_index": "%index%"}
+
         if ng.cluster.anti_affinity:
             properties[SERVER_GROUP_PARAM_NAME] = {
                 'get_resource': _get_aa_group_name(ng.cluster)}
+
+        if ng.auto_security_group:
+            properties[AUTO_SECURITY_GROUP_PARAM_NAME] = {
+                'get_resource': g.generate_auto_security_group_name(ng)}
+
         return {
             ng.name: {
                 "type": "OS::Heat::ResourceGroup",
@@ -242,8 +253,13 @@ class ClusterStack(object):
 
     def _serialize_ng_file(self, ng):
         parameters = {"instance_index": {"type": "string"}}
+
         if ng.cluster.anti_affinity:
             parameters[SERVER_GROUP_PARAM_NAME] = {'type': "string"}
+
+        if ng.auto_security_group:
+            parameters[AUTO_SECURITY_GROUP_PARAM_NAME] = {'type': "string"}
+
         return yaml.safe_dump({
             "heat_template_version": heat_common.HEAT_TEMPLATE_VERSION,
             "description": self._node_group_description(ng),
@@ -326,9 +342,6 @@ class ClusterStack(object):
 
         inst_name = _get_inst_name(ng)
 
-        if ng.auto_security_group:
-            resources.update(self._serialize_auto_security_group(ng))
-
         if ng.floating_ip_pool:
             resources.update(self._serialize_nova_floating(ng))
 
@@ -492,8 +505,7 @@ class ClusterStack(object):
         node_group_sg = list(node_group.security_groups or [])
         if node_group.auto_security_group:
             node_group_sg += [
-                {"get_resource": g.generate_auto_security_group_name(
-                    node_group)}
+                {"get_param": AUTO_SECURITY_GROUP_PARAM_NAME}
             ]
         return node_group_sg
 
diff --git a/sahara/tests/unit/service/heat/test_templates.py b/sahara/tests/unit/service/heat/test_templates.py
index 898c593143..0d2f8a1472 100644
--- a/sahara/tests/unit/service/heat/test_templates.py
+++ b/sahara/tests/unit/service/heat/test_templates.py
@@ -98,7 +98,7 @@ class TestClusterTemplate(BaseTestClusterTemplate):
         actual = heat_template._get_security_groups(ng1)
         self.assertEqual(expected, actual)
 
-        expected = ['3', '4', {'get_resource': 'cluster-worker-2'}]
+        expected = ['3', '4', {'get_param': 'autosecgroup'}]
         actual = heat_template._get_security_groups(ng2)
         self.assertEqual(expected, actual)