diff --git a/README.md b/README.md
index c29d5c9b4b..d4c7863f4d 100644
--- a/README.md
+++ b/README.md
@@ -829,6 +829,7 @@ Full contributing [guidelines are covered here](https://github.com/terraform-aws
 | Name | Type |
 |------|------|
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_ec2_tag.cluster_primary_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_eks_addon.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon) | resource |
 | [aws_eks_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster) | resource |
 | [aws_eks_identity_provider_config.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_identity_provider_config) | resource |
diff --git a/main.tf b/main.tf
index 9baaa09fcd..ad3504ba69 100644
--- a/main.tf
+++ b/main.tf
@@ -59,6 +59,14 @@ resource "aws_eks_cluster" "this" {
   ]
 }
 
+resource "aws_ec2_tag" "cluster_primary_security_group" {
+  for_each = { for k, v in merge(var.tags, var.cluster_tags) : k => v if var.create }
+
+  resource_id = aws_eks_cluster.this[0].vpc_config[0].cluster_security_group_id
+  key         = each.key
+  value       = each.value
+}
+
 resource "aws_cloudwatch_log_group" "this" {
   count = local.create && var.create_cloudwatch_log_group ? 1 : 0