diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd4e552..9e98e16 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -183,3 +183,7 @@
   - vpn-transit-gatewy
     - add labels for tunnel_interfaces and tunnel_loopbacks (optional)
     - generate configurations for ASR automation
+
+* 2.2.1 -- 2022-09-28
+  - security-groups
+    - add variable: enable_manage_default_sg
diff --git a/common/version.tf b/common/version.tf
index 42137a1..44ea5cf 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.2.0"
+  _module_version = "2.2.1"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/security-groups/README.md b/security-groups/README.md
index 9669845..e7b78c1 100644
--- a/security-groups/README.md
+++ b/security-groups/README.md
@@ -50,14 +50,16 @@ module "base-security-groups" {
 | [aws_default_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
-| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_enable_manage_default_sg"></a> [enable\_manage\_default\_sg](#input\_enable\_manage\_default\_sg) | Flag to manage default security group if present. Set to false for shared VPCs | `bool` | `true` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
diff --git a/security-groups/main.tf b/security-groups/main.tf
index 8c5c0d5..49958b5 100644
--- a/security-groups/main.tf
+++ b/security-groups/main.tf
@@ -35,6 +35,7 @@ locals {
 # default security group
 #---
 resource "aws_default_security_group" "default" {
+  count  = var.enable_manage_default_sg ? 1 : 0
   vpc_id = var.vpc_id
 
   tags = merge(
diff --git a/security-groups/variables.tf b/security-groups/variables.tf
new file mode 100644
index 0000000..dc94ce5
--- /dev/null
+++ b/security-groups/variables.tf
@@ -0,0 +1,5 @@
+variable "enable_manage_default_sg" {
+  description = "Flag to manage default security group if present. Set to false for shared VPCs"
+  type        = bool
+  default     = true
+}
diff --git a/vpn-transit-gateway/main.tf b/vpn-transit-gateway/main.tf
index 5620421..eab667d 100644
--- a/vpn-transit-gateway/main.tf
+++ b/vpn-transit-gateway/main.tf
@@ -141,14 +141,16 @@ resource "aws_vpn_connection" "vpn" {
 
   tunnel1_log_options {
     cloudwatch_log_options {
-      log_enabled   = var.enable_cloudwatch_logging
-      log_group_arn = var.enable_cloudwatch_logging ? aws_cloudwatch_log_group.log[each.key].arn : null
+      log_enabled       = var.enable_cloudwatch_logging
+      log_group_arn     = var.enable_cloudwatch_logging ? aws_cloudwatch_log_group.log[each.key].arn : null
+      log_output_format = var.enable_cloudwatch_logging ? "json" : null
     }
   }
   tunnel2_log_options {
     cloudwatch_log_options {
-      log_enabled   = var.enable_cloudwatch_logging
-      log_group_arn = var.enable_cloudwatch_logging ? aws_cloudwatch_log_group.log[each.key].arn : null
+      log_enabled       = var.enable_cloudwatch_logging
+      log_group_arn     = var.enable_cloudwatch_logging ? aws_cloudwatch_log_group.log[each.key].arn : null
+      log_output_format = var.enable_cloudwatch_logging ? "json" : null
     }
   }