diff --git a/groups/groups_test.go b/groups/groups_test.go
index 2fc9572605a..f949cc5b930 100644
--- a/groups/groups_test.go
+++ b/groups/groups_test.go
@@ -168,6 +168,13 @@ func TestGroupConventions(t *testing.T) {
 	for _, g := range cfg.Groups {
 		// groups are easier to reason about if email and name match
 		expectedEmailId := g.Name + "@kubernetes.io"
+		// sig-etcd keeps using security@etcd.io, but the name "security"
+		// has already been used by "security@kubernetes.io", so we use
+		// the name "etcd-security". Refer to discussion in
+		// https://github.com/kubernetes/k8s.io/pull/6542.
+		if g.Name == "etcd-security" {
+			expectedEmailId = "security@etcd.io"
+		}
 		if g.EmailId != expectedEmailId {
 			t.Errorf("group '%s': expected email '%s', got '%s'", g.Name, expectedEmailId, g.EmailId)
 		}
diff --git a/groups/restrictions.yaml b/groups/restrictions.yaml
index 78858abd8d8..015aab83efb 100644
--- a/groups/restrictions.yaml
+++ b/groups/restrictions.yaml
@@ -117,6 +117,9 @@ restrictions:
       - "^k8s-infra-rbac-elekto@kubernetes.io$"
       - "^k8s-infra-rbac-slack-infra@kubernetes.io$"
       - "^k8s-infra-staging-slack-infra@kubernetes.io$"
+  - path: "sig-etcd/groups.yaml"
+    allowedGroups:
+      - "@etcd.io$"
   - path: "sig-docs/groups.yaml"
     allowedGroups:
       - "^blog@kubernetes.io$"
diff --git a/groups/sig-etcd/OWNERS b/groups/sig-etcd/OWNERS
new file mode 100644
index 00000000000..7d089be9917
--- /dev/null
+++ b/groups/sig-etcd/OWNERS
@@ -0,0 +1,9 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+- sig-etcd-leads
+reviewers:
+- sig-etcd-leads
+
+labels:
+- sig/etcd
diff --git a/groups/sig-etcd/groups.yaml b/groups/sig-etcd/groups.yaml
new file mode 100644
index 00000000000..acecd8f7692
--- /dev/null
+++ b/groups/sig-etcd/groups.yaml
@@ -0,0 +1,15 @@
+groups:
+  - email-id: security@etcd.io
+    name: etcd-security
+    description: |-
+      Private list for non-public (internal) triage of etcd security vulnerabilities
+      reported by any etcd contributors or users.
+    settings:
+      WhoCanPostMessage: "ANYONE_CAN_POST"
+      ReconcileMembers: "true"
+    owners:
+      - benjamin.ahrtr@gmail.com
+      - jablair@redhat.com
+      - siarkowicz@google.com
+      - spzala@us.ibm.com
+      - wenjiazhang@google.com