diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebc4fa49..9f7ad6d7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - Add `global.podSecurityStandards.enforced` value for PSS migration.
+- Add AWS tags to all created resources for CAPA and EKS clusters.
 
 ## [0.20.0] - 2023-09-21
 
diff --git a/pkg/aws/services/acm/acm.go b/pkg/aws/services/acm/acm.go
index d4606d65..d4d4f259 100644
--- a/pkg/aws/services/acm/acm.go
+++ b/pkg/aws/services/acm/acm.go
@@ -36,10 +36,6 @@ func (s *Service) EnsureCertificate(domain string, customerTags map[string]strin
 				Key:   aws.String(key.S3TagOrganization),
 				Value: aws.String(util.RemoveOrg(s.scope.ClusterNamespace())),
 			},
-			{
-				Key:   aws.String(key.S3TagCluster),
-				Value: aws.String(s.scope.ClusterName()),
-			},
 			{
 				Key:   aws.String(fmt.Sprintf(key.S3TagCloudProvider, s.scope.ClusterName())),
 				Value: aws.String("owned"),
@@ -51,6 +47,13 @@ func (s *Service) EnsureCertificate(domain string, customerTags map[string]strin
 		},
 		ValidationMethod: aws.String(acm.ValidationMethodDns),
 	}
+	// add cluster tag if missing (this is case for vintage clusters)
+	if _, ok := customerTags[key.S3TagCluster]; !ok {
+		if customerTags == nil {
+			customerTags = make(map[string]string)
+		}
+		customerTags[key.S3TagCluster] = s.scope.ClusterName()
+	}
 
 	for k, v := range customerTags {
 		tag := &acm.Tag{
diff --git a/pkg/aws/services/cloudfront/cloudfront.go b/pkg/aws/services/cloudfront/cloudfront.go
index e900134e..74be42d6 100644
--- a/pkg/aws/services/cloudfront/cloudfront.go
+++ b/pkg/aws/services/cloudfront/cloudfront.go
@@ -127,6 +127,11 @@ func (s *Service) EnsureDistribution(config DistributionConfig) (*Distribution,
 
 	// Add internal and customer tags.
 	{
+		// deep copy the map from config.CustomerTags
+		customerTags := make(map[string]string)
+		for k, v := range config.CustomerTags {
+			customerTags[k] = v
+		}
 		for k, v := range s.internalTags() {
 			tag := &cloudfront.Tag{
 				Key:   aws.String(k),
@@ -135,7 +140,12 @@ func (s *Service) EnsureDistribution(config DistributionConfig) (*Distribution,
 			i.DistributionConfigWithTags.Tags.Items = append(i.DistributionConfigWithTags.Tags.Items, tag)
 		}
 
-		for k, v := range config.CustomerTags {
+		// add cluster tag if missing (this is case for vintage clusters)
+		if _, ok := customerTags[key.S3TagCluster]; !ok {
+			customerTags[key.S3TagCluster] = s.scope.ClusterName()
+		}
+
+		for k, v := range customerTags {
 			tag := &cloudfront.Tag{
 				Key:   aws.String(k),
 				Value: aws.String(v),
@@ -268,7 +278,6 @@ func (s *Service) findDistribution() (*Distribution, error) {
 func (s *Service) internalTags() map[string]string {
 	return map[string]string{
 		key.S3TagOrganization: util.RemoveOrg(s.scope.ClusterNamespace()),
-		key.S3TagCluster:      s.scope.ClusterName(),
 		fmt.Sprintf(key.S3TagCloudProvider, s.scope.ClusterName()): "owned",
 		key.S3TagInstallation: s.scope.Installation(),
 	}
diff --git a/pkg/aws/services/s3/bucket.go b/pkg/aws/services/s3/bucket.go
index 08633caa..f57981da 100644
--- a/pkg/aws/services/s3/bucket.go
+++ b/pkg/aws/services/s3/bucket.go
@@ -50,10 +50,6 @@ func (s *Service) CreateTags(bucketName string, customerTags map[string]string)
 					Key:   aws.String(key.S3TagOrganization),
 					Value: aws.String(util.RemoveOrg(s.scope.ClusterNamespace())),
 				},
-				{
-					Key:   aws.String(key.S3TagCluster),
-					Value: aws.String(s.scope.ClusterName()),
-				},
 				{
 					Key:   aws.String(fmt.Sprintf(key.S3TagCloudProvider, s.scope.ClusterName())),
 					Value: aws.String("owned"),
@@ -65,6 +61,13 @@ func (s *Service) CreateTags(bucketName string, customerTags map[string]string)
 			},
 		},
 	}
+	// add cluster tag if missing (this is case for vintage clusters)
+	if _, ok := customerTags[key.S3TagCluster]; !ok {
+		if customerTags == nil {
+			customerTags = make(map[string]string)
+		}
+		customerTags[key.S3TagCluster] = s.scope.ClusterName()
+	}
 
 	for k, v := range customerTags {
 		i.Tagging.TagSet = append(i.Tagging.TagSet, &s3.Tag{Key: aws.String(k), Value: aws.String(v)})
diff --git a/pkg/irsa/capa/capa.go b/pkg/irsa/capa/capa.go
index 470a9115..650ca3f8 100644
--- a/pkg/irsa/capa/capa.go
+++ b/pkg/irsa/capa/capa.go
@@ -16,7 +16,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	capi "sigs.k8s.io/cluster-api/api/v1beta1"
+	capa "sigs.k8s.io/cluster-api-provider-aws/v2/api/v1beta2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/giantswarm/irsa-operator/pkg/aws/scope"
@@ -95,17 +95,13 @@ func (s *Service) Reconcile(ctx context.Context) error {
 		return err
 	}
 
-	// Fetch custom tags from Cluster CR
-	cluster := &capi.Cluster{}
-	err = s.Client.Get(ctx, types.NamespacedName{Namespace: s.Scope.ClusterNamespace(), Name: s.Scope.ClusterName()}, cluster)
-	if apierrors.IsNotFound(err) {
-		// fallthrough
-	} else if err != nil {
+	// Fetch custom tags from AWSCluster CR
+	awsCluster := &capa.AWSCluster{}
+	err = s.Client.Get(ctx, types.NamespacedName{Namespace: s.Scope.ClusterNamespace(), Name: s.Scope.ClusterName()}, awsCluster)
+	if err != nil {
 		return err
 	}
-	customerTags := key.GetCustomerTags(cluster)
-
-	err = s.S3.CreateTags(s.Scope.BucketName(), customerTags)
+	err = s.S3.CreateTags(s.Scope.BucketName(), awsCluster.Spec.AdditionalTags)
 	if err != nil {
 		ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
 		s.Scope.Logger().Error(err, "failed to create tags")
@@ -122,7 +118,7 @@ func (s *Service) Reconcile(ctx context.Context) error {
 		cloudfrontAliasDomain := s.getCloudFrontAliasDomain()
 		if cloudfrontAliasDomain != "" {
 			// Ensure ACM certificate.
-			certificateArn, err := s.ACM.EnsureCertificate(cloudfrontAliasDomain, customerTags)
+			certificateArn, err := s.ACM.EnsureCertificate(cloudfrontAliasDomain, awsCluster.Spec.AdditionalTags)
 			if err != nil {
 				ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
 				s.Scope.Logger().Error(err, "failed to create ACM certificate")
@@ -180,7 +176,7 @@ func (s *Service) Reconcile(ctx context.Context) error {
 			cloudfrontCertificateARN = *certificateArn
 		}
 
-		distribution, err = s.Cloudfront.EnsureDistribution(cloudfront.DistributionConfig{CustomerTags: customerTags, Aliases: aliases, CertificateArn: cloudfrontCertificateARN})
+		distribution, err = s.Cloudfront.EnsureDistribution(cloudfront.DistributionConfig{CustomerTags: awsCluster.Spec.AdditionalTags, Aliases: aliases, CertificateArn: cloudfrontCertificateARN})
 		if err != nil {
 			ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
 			s.Scope.Logger().Error(err, "failed to create cloudfront distribution")
@@ -313,7 +309,7 @@ func (s *Service) Reconcile(ctx context.Context) error {
 			identityProviderURLs = append(identityProviderURLs, util.EnsureHTTPS(*alias))
 		}
 
-		return s.IAM.EnsureOIDCProviders(identityProviderURLs, key.STSUrl(s.Scope.Region()), customerTags)
+		return s.IAM.EnsureOIDCProviders(identityProviderURLs, key.STSUrl(s.Scope.Region()), awsCluster.Spec.AdditionalTags)
 	}
 	err = backoff.Retry(createOIDCProvider, b)
 	if err != nil {
diff --git a/pkg/irsa/eks/eks.go b/pkg/irsa/eks/eks.go
index 7765d9eb..e7d22d42 100644
--- a/pkg/irsa/eks/eks.go
+++ b/pkg/irsa/eks/eks.go
@@ -5,7 +5,7 @@ import (
 
 	"github.com/giantswarm/microerror"
 	"k8s.io/apimachinery/pkg/types"
-	capi "sigs.k8s.io/cluster-api/api/v1beta1"
+	controlplanecapa "sigs.k8s.io/cluster-api-provider-aws/v2/controlplane/eks/api/v1beta2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/giantswarm/irsa-operator/pkg/aws/scope"
@@ -41,15 +41,14 @@ func (s *Service) Reconcile(ctx context.Context) error {
 	}
 	identityProviderURLs := []string{oidcURL}
 
-	// Fetch custom tags from Cluster CR
-	cluster := &capi.Cluster{}
+	// Fetch custom tags from AWSManagedControlPlane CR
+	cluster := &controlplanecapa.AWSManagedControlPlane{}
 	err = s.Client.Get(ctx, types.NamespacedName{Namespace: s.Scope.ClusterNamespace(), Name: s.Scope.ClusterName()}, cluster)
 	if err != nil {
 		return microerror.Mask(err)
 	}
-	customerTags := key.GetCustomerTags(cluster)
 
-	err = s.IAM.EnsureOIDCProviders(identityProviderURLs, key.STSUrl(s.Scope.Region()), customerTags)
+	err = s.IAM.EnsureOIDCProviders(identityProviderURLs, key.STSUrl(s.Scope.Region()), cluster.Spec.AdditionalTags)
 	if err != nil {
 		ctrlmetrics.Errors.WithLabelValues(s.Scope.Installation(), s.Scope.AccountID(), s.Scope.ClusterName(), s.Scope.ClusterNamespace()).Inc()
 		s.Scope.Logger().Error(err, "failed to create OIDC provider")