diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
index b0f7ce3b40..156cefebf1 100644
--- a/cluster/cluster.yaml
+++ b/cluster/cluster.yaml
@@ -1141,6 +1141,9 @@ Resources:
               - Action: 'acm:DescribeCertificate'
                 Effect: Allow
                 Resource: '*'
+              - Action: 'acm:ListTagsForCertificate'
+                Effect: Allow
+                Resource: '*'
               - Action: 'autoscaling:DescribeAutoScalingGroups'
                 Effect: Allow
                 Resource: '*'
@@ -1224,7 +1227,7 @@ Resources:
       RoleName: "{{.Cluster.LocalID}}-app-ingr-ctrl"
     Type: 'AWS::IAM::Role'
 {{ if eq .Cluster.ConfigItems.skipper_open_policy_agent_enabled "true" }}
-  # Note: this is not strictly specific to Open Policy Agent and can be extend 
+  # Note: this is not strictly specific to Open Policy Agent and can be extend
   # if Skipper Ingress needs to access other AWS resources
   SkipperIngressIAMRole:
     Properties:
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
index 398803a087..7c1bd27b5c 100644
--- a/cluster/config-defaults.yaml
+++ b/cluster/config-defaults.yaml
@@ -46,6 +46,12 @@ kube_aws_ingress_controller_nlb_cross_zone: "true"
 kube_aws_ingress_controller_cert_polling_interval: "2m"
 # sets the default LB type: "network" or "application" are valid choices (overwritten by nlb_switch)
 kube_aws_ingress_default_lb_type: "application"
+# cert filter
+{{if eq .Cluster.Environment "production"}}
+kube_aws_ingress_controller_cert_filter_tag: ""
+{{else}}
+kube_aws_ingress_controller_cert_filter_tag: "kubernetes=enabled"
+{{end}}
 
 # ALB to NLB switch
 # "pre":
diff --git a/cluster/manifests/ingress-controller/deployment.yaml b/cluster/manifests/ingress-controller/deployment.yaml
index 288a7bc696..bfbd565361 100644
--- a/cluster/manifests/ingress-controller/deployment.yaml
+++ b/cluster/manifests/ingress-controller/deployment.yaml
@@ -56,6 +56,9 @@ spec:
             - --load-balancer-type={{ .Cluster.ConfigItems.kube_aws_ingress_default_lb_type }}
             # {{ end }}
             - --cert-polling-interval={{ .Cluster.ConfigItems.kube_aws_ingress_controller_cert_polling_interval }}
+            # {{ if .Cluster.ConfigItems.kube_aws_ingress_controller_cert_filter_tag }}
+            - --cert-filter-tag={{ .Cluster.ConfigItems.kube_aws_ingress_controller_cert_filter_tag }}
+            # {{ end }}
           env:
             - name: CUSTOM_FILTERS
               value: "tag:kubernetes.io/cluster/{{ .Cluster.ID }}=owned tag:node.kubernetes.io/role=worker tag:zalando.org/ingress-enabled=true"