diff --git a/go.mod b/go.mod
index 3c974a42..3b7b5a70 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,7 @@ toolchain go1.22.4
 
 require (
 	github.com/aws-controllers-k8s/pkg v0.0.15
-	github.com/aws-controllers-k8s/runtime v0.42.0
+	github.com/aws-controllers-k8s/runtime v0.43.0
 	github.com/aws/aws-sdk-go v1.49.0
 	github.com/aws/aws-sdk-go-v2 v1.32.7
 	github.com/dlclark/regexp2 v1.10.0 // indirect
diff --git a/go.sum b/go.sum
index 625e5356..b045113c 100644
--- a/go.sum
+++ b/go.sum
@@ -73,8 +73,8 @@ github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:l
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/aws-controllers-k8s/pkg v0.0.15 h1:C1pnD/aDqJsU9oYf5upHkpSc+Hv4JQVtkdCpfZQIPig=
 github.com/aws-controllers-k8s/pkg v0.0.15/go.mod h1:VvdjLWmR6IJ3KU8KByKiq/lJE8M+ur2piXysXKTGUS0=
-github.com/aws-controllers-k8s/runtime v0.42.0 h1:fVb3cOwUtn0ZwTSedapES+Rspb97S8BTxMqXJt6R5uM=
-github.com/aws-controllers-k8s/runtime v0.42.0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c=
+github.com/aws-controllers-k8s/runtime v0.43.0 h1:mCtMHO0rew84VbqotquvBirnKysbao+y2G3QI8bKZxM=
+github.com/aws-controllers-k8s/runtime v0.43.0/go.mod h1:Oy0JKvDxZMZ+SVupm4NZVqP00KLIIAMfk93KnOwlt5c=
 github.com/aws/aws-sdk-go v1.49.0 h1:g9BkW1fo9GqKfwg2+zCD+TW/D36Ux+vtfJ8guF4AYmY=
 github.com/aws/aws-sdk-go v1.49.0/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v1.32.7 h1:ky5o35oENWi0JYWUZkB7WYvVPP+bcRF5/Iq7JWSb5Rw=
diff --git a/pkg/generate/ack/runtime_test.go b/pkg/generate/ack/runtime_test.go
index fbd211fd..20e211b0 100644
--- a/pkg/generate/ack/runtime_test.go
+++ b/pkg/generate/ack/runtime_test.go
@@ -147,6 +147,8 @@ func (frm *fakeRM) EnsureTags(
 	return nil
 }
 
+func (frm *fakeRM) FilterSystemTags(acktypes.AWSResource) {}
+
 // This test is mostly just a hack to introduce a Go module dependency between
 // the ACK runtime library and the code generator. The code generator doesn't
 // actually depend on Go code in the ACK runtime, but it *produces* templated
diff --git a/templates/pkg/resource/manager.go.tpl b/templates/pkg/resource/manager.go.tpl
index 1d6adbda..c12fc25e 100644
--- a/templates/pkg/resource/manager.go.tpl
+++ b/templates/pkg/resource/manager.go.tpl
@@ -342,14 +342,14 @@ func (rm *resourceManager) FilterSystemTags(res acktypes.AWSResource) {
 {{ end -}}
     existingTags = r.ko.Spec.{{ $tagField.Path }}
 	resourceTags := ToACKTags(existingTags)
-	IgnoreAWSTags(resourceTags)
+	ignoreSystemTags(resourceTags)
 {{ GoCodeInitializeNestedStructField .CRD "r.ko" $tagField "svcapitypes" 1 -}}
 	r.ko.Spec.{{ $tagField.Path }} = FromACKTags(resourceTags)
 {{- end }}
 {{- end }}
 }
 
-// MirrorAWSTags ensures that AWS tags are included in the desired resource
+// mirrorAWSTags ensures that AWS tags are included in the desired resource
 // if they are present in the latest resource. This will ensure that the
 // aws tags are not present in a diff. The logic of the controller will
 // ensure these tags aren't patched to the resource in the cluster, and
@@ -395,7 +395,7 @@ func mirrorAWSTags(a *resource, b *resource) {
     existingLatestTags = b.ko.Spec.{{ $tagField.Path }}
 	desiredTags := ToACKTags(existingDesiredTags)
 	latestTags := ToACKTags(existingLatestTags)
-	SyncAWSTags(desiredTags, latestTags)
+	syncAWSTags(desiredTags, latestTags)
 {{ GoCodeInitializeNestedStructField .CRD "a.ko" $tagField "svcapitypes" 1 -}}
 	a.ko.Spec.{{ $tagField.Path }} = FromACKTags(desiredTags)
 {{- end }}
diff --git a/templates/pkg/resource/tags.go.tpl b/templates/pkg/resource/tags.go.tpl
index 7cd40a11..b762e655 100644
--- a/templates/pkg/resource/tags.go.tpl
+++ b/templates/pkg/resource/tags.go.tpl
@@ -11,6 +11,7 @@ import(
 var (
 	_ = svcapitypes.{{ .CRD.Kind }}{}
 	_ = acktags.NewTags()
+    ACKSystemTags = []string{"services.k8s.aws/namespace", "services.k8s.aws/controller-version"}
 )
 
 {{- if $hookCode := Hook .CRD "convert_tags" }}
@@ -87,21 +88,20 @@ func FromACKTags(tags acktags.Tags) {{ $tagFieldGoType }} {
 }
 {{ end }}
 
-// IgnoreAWSTags ignores tags that have keys that start with "aws:"
-// is needed to ensure the controller does not attempt to remove
-// tags set by AWS
+// ignoreSystemTags ignores tags that have keys that start with "aws:"
+// and ACKSystemTags, to avoid patching them to the resourceSpec.
 // Eg. resources created with cloudformation have tags that cannot be
 // removed by an ACK controller
-func IgnoreAWSTags(tags acktags.Tags) {
+func ignoreSystemTags(tags acktags.Tags) {
 	for k := range tags {
 		if strings.HasPrefix(k, "aws:") ||
-			strings.HasPrefix(k, "services.k8s.aws/") {
+			slices.Contains(ACKSystemTags, k) {
 			delete(tags, k)
 		}
 	}
 }
 
-// SyncAWSTags ensures AWS-managed tags (prefixed with "aws:") from the latest resource state
+// syncAWSTags ensures AWS-managed tags (prefixed with "aws:") from the latest resource state
 // are preserved in the desired state. This prevents the controller from attempting to
 // modify AWS-managed tags, which would result in an error.
 //
@@ -120,7 +120,7 @@ func IgnoreAWSTags(tags acktags.Tags) {
 //	desired := Tags{"environment": "dev"}
 //	SyncAWSTags(desired, latest)
 //	desired now contains {"aws:cloudformation:stack-name": "my-stack", "environment": "dev"}
-func SyncAWSTags(a acktags.Tags, b acktags.Tags) {
+func syncAWSTags(a acktags.Tags, b acktags.Tags) {
 	for k := range b {
 		if strings.HasPrefix(k, "aws:") {
 			a[k] = b[k]