diff --git a/apis/v1beta1/types.go b/apis/v1beta1/types.go
index 04101eb466..0a49b52144 100644
--- a/apis/v1beta1/types.go
+++ b/apis/v1beta1/types.go
@@ -41,6 +41,9 @@ type ProviderConfigSpec struct {
 	// Useful for AWS API implementations that do not have the IAM, STS API, or metadata API
 	// +optional
 	SkipReqAccountId bool `json:"skip_requesting_account_id,omitempty"`
+	// Ignore tags with provdied prefixes
+	// +optional
+	IgnoreTagsPrefixes []string `json:"ignore_tags_prefixes,omitempty"`
 }
 
 // AssumeRoleOptions define the options for assuming an IAM Role
diff --git a/apis/v1beta1/zz_generated.deepcopy.go b/apis/v1beta1/zz_generated.deepcopy.go
index accf51c5ae..20cfdd8462 100644
--- a/apis/v1beta1/zz_generated.deepcopy.go
+++ b/apis/v1beta1/zz_generated.deepcopy.go
@@ -216,6 +216,11 @@ func (in *ProviderConfigSpec) DeepCopyInto(out *ProviderConfigSpec) {
 		*out = new(EndpointConfig)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.IgnoreTagsPrefixes != nil {
+		in, out := &in.IgnoreTagsPrefixes, &out.IgnoreTagsPrefixes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderConfigSpec.
diff --git a/internal/clients/aws.go b/internal/clients/aws.go
index 368cd28258..948073e249 100644
--- a/internal/clients/aws.go
+++ b/internal/clients/aws.go
@@ -42,6 +42,8 @@ const (
 	keySkipRegionValidation      = "skip_region_validation"
 	keySkipReqAccountId          = "skip_requesting_account_id"
 	keyEndpoints                 = "endpoints"
+	keyIgnoreTags                = "ignore_tags"
+	keyIgnoreTagsPrefixes        = "key_prefixes"
 )
 
 type SetupConfig struct {
@@ -109,6 +111,11 @@ func pushDownTerraformSetupBuilder(ctx context.Context, c client.Client, pc *v1b
 		keyRegion: cfg.Region,
 	}
 
+	ignoreTags := map[string]any{
+		keyIgnoreTagsPrefixes: pc.Spec.IgnoreTagsPrefixes,
+	}
+	ps.Configuration[keyIgnoreTags] = []any{ignoreTags}
+
 	switch s := pc.Spec.Credentials.Source; s { //nolint:exhaustive
 	case authKeyWebIdentity:
 		if pc.Spec.Credentials.WebIdentity == nil {
@@ -187,6 +194,11 @@ func DefaultTerraformSetupBuilder(_ context.Context, pc *v1beta1.ProviderConfig,
 		keySkipReqAccountId:     pc.Spec.SkipReqAccountId,
 	}
 
+	ignoreTags := map[string]any{
+		keyIgnoreTagsPrefixes: pc.Spec.IgnoreTagsPrefixes,
+	}
+	ps.Configuration[keyIgnoreTags] = []any{ignoreTags}
+
 	if pc.Spec.Endpoint != nil {
 		if pc.Spec.Endpoint.URL.Static != nil {
 			if len(pc.Spec.Endpoint.Services) > 0 && *pc.Spec.Endpoint.URL.Static == "" {
diff --git a/package/crds/aws.upbound.io_providerconfigs.yaml b/package/crds/aws.upbound.io_providerconfigs.yaml
index fe521d4ff8..d4dafd5abe 100644
--- a/package/crds/aws.upbound.io_providerconfigs.yaml
+++ b/package/crds/aws.upbound.io_providerconfigs.yaml
@@ -400,6 +400,11 @@ spec:
                 required:
                 - url
                 type: object
+              ignore_tags_prefixes:
+                description: Ignore tags with provdied prefixes
+                items:
+                  type: string
+                type: array
               s3_use_path_style:
                 description: Whether to enable the request to use path-style addressing,
                   i.e., https://s3.amazonaws.com/BUCKET/KEY.