diff --git a/controller/eks-cluster-config-handler.go b/controller/eks-cluster-config-handler.go
index b23e2594..70e490f6 100644
--- a/controller/eks-cluster-config-handler.go
+++ b/controller/eks-cluster-config-handler.go
@@ -732,6 +732,32 @@ func (h *Handler) updateUpstreamClusterState(ctx context.Context, upstreamSpec *
 		}
 	}
 
+	updated, err := awsservices.UpdateClusterAccess(ctx, &awsservices.UpdateClusterAccessOpts{
+		EKSService:          awsSVCs.eks,
+		Config:              config,
+		UpstreamClusterSpec: upstreamSpec,
+	})
+	if err != nil && !isResourceInUse(err) {
+		return config, fmt.Errorf("error updating cluster access config: %w", err)
+	}
+	if updated {
+		return h.enqueueUpdate(config)
+	}
+
+	if config.Spec.PublicAccessSources != nil {
+		updated, err := awsservices.UpdateClusterPublicAccessSources(ctx, &awsservices.UpdateClusterPublicAccessSourcesOpts{
+			EKSService:          awsSVCs.eks,
+			Config:              config,
+			UpstreamClusterSpec: upstreamSpec,
+		})
+		if err != nil && !isResourceInUse(err) {
+			return config, fmt.Errorf("error updating cluster public access sources: %w", err)
+		}
+		if updated {
+			return h.enqueueUpdate(config)
+		}
+	}
+
 	// check tags for update
 	if config.Spec.Tags != nil {
 		updated, err := awsservices.UpdateResourceTags(ctx, &awsservices.UpdateResourceTagsOpts{
@@ -763,32 +789,6 @@ func (h *Handler) updateUpstreamClusterState(ctx context.Context, upstreamSpec *
 		}
 	}
 
-	updated, err := awsservices.UpdateClusterAccess(ctx, &awsservices.UpdateClusterAccessOpts{
-		EKSService:          awsSVCs.eks,
-		Config:              config,
-		UpstreamClusterSpec: upstreamSpec,
-	})
-	if err != nil && !isResourceInUse(err) {
-		return config, fmt.Errorf("error updating cluster access config: %w", err)
-	}
-	if updated {
-		return h.enqueueUpdate(config)
-	}
-
-	if config.Spec.PublicAccessSources != nil {
-		updated, err := awsservices.UpdateClusterPublicAccessSources(ctx, &awsservices.UpdateClusterPublicAccessSourcesOpts{
-			EKSService:          awsSVCs.eks,
-			Config:              config,
-			UpstreamClusterSpec: upstreamSpec,
-		})
-		if err != nil && !isResourceInUse(err) {
-			return config, fmt.Errorf("error updating cluster public access sources: %w", err)
-		}
-		if updated {
-			return h.enqueueUpdate(config)
-		}
-	}
-
 	if config.Spec.NodeGroups == nil {
 		if config.Status.Phase != eksConfigActivePhase {
 			logrus.Infof("Cluster [%s (id: %s)] finished updating", config.Spec.DisplayName, config.Name)