I really had to dig for this, but it’s quite simple:
$natSG = Get-EC2SecurityGroup -Region $env:AWS_DEFAULT_REGION | ?{$_.Description -eq 'my NAT security group description' -and $_.VpcId -eq $vpcId }
$natSgGroupId = $natSG.GroupId
$defaultSG = Get-EC2SecurityGroup -Region $env:AWS_DEFAULT_REGION | ?{$_.Description -eq 'default VPC security group' -and $_.VpcId -eq $vpcId }
$sourceGroup = New-Object Amazon.EC2.Model.UserIdGroupPair
$sourceGroup.GroupId = $defaultSG.GroupId
$newIpRule = New-Object Amazon.EC2.Model.IpPermission -Property @{IpProtocol='-1'; FromPort='0'; ToPort='65535'; IpRanges='0.0.0.0/0'; UserIdGroupPair=$sourceGroup}
Grant-EC2SecurityGroupIngress -GroupId $natSgGroupId -IpPermission $newIpRule