diff --git a/pkg/asset/machines/aws/machines.go b/pkg/asset/machines/aws/machines.go
index 3a6cc49d67..45ba7f43ab 100644
--- a/pkg/asset/machines/aws/machines.go
+++ b/pkg/asset/machines/aws/machines.go
@@ -111,10 +111,15 @@ func Machines(clusterID string, region string, subnets map[string]string, pool *
 		}
 		if subnet == "" {
 			domain.Subnet.Type = machinev1.AWSFiltersReferenceType
-			domain.Subnet.Filters = &[]machinev1.AWSResourceFilter{{
-				Name:   "tag:Name",
-				Values: []string{fmt.Sprintf("%s-private-%s", clusterID, zone)},
-			}}
+			domain.Subnet.Filters = &[]machinev1.AWSResourceFilter{
+				{
+					Name: "tag:Name",
+					Values: []string{
+						fmt.Sprintf("%s-private-%s", clusterID, zone), // legacy Terraform config, TODO remove
+						fmt.Sprintf("%s-subnet-private-%s", clusterID, zone),
+					},
+				},
+			}
 		} else {
 			domain.Subnet.Type = machinev1.AWSIDReferenceType
 			domain.Subnet.ID = pointer.String(subnet)
@@ -178,12 +183,35 @@ func provider(in *machineProviderInput) (*machineapi.AWSMachineProviderConfig, e
 		return nil, errors.Wrap(err, "failed to create machineapi.TagSpecifications from UserTags")
 	}
 
-	securityGroups := []machineapi.AWSResourceReference{{
-		Filters: []machineapi.Filter{{
+	sgFilters := []machineapi.Filter{
+		{
 			Name:   "tag:Name",
-			Values: []string{fmt.Sprintf("%s-%s-sg", in.clusterID, in.role)},
-		}},
-	}}
+			Values: []string{fmt.Sprintf("%s-%s-sg", in.clusterID, in.role)}, // legacy Terraform config, remove with Terraform
+		},
+		{
+			Name:   "tag:Name",
+			Values: []string{fmt.Sprintf("%s-node", in.clusterID)},
+		},
+		{
+			Name:   "tag:Name",
+			Values: []string{fmt.Sprintf("%s-lb", in.clusterID)},
+		},
+	}
+
+	if in.role == "master" {
+		cpFilter := machineapi.Filter{
+			Name:   "tag:Name",
+			Values: []string{fmt.Sprintf("%s-controlplane", in.clusterID)},
+		}
+		sgFilters = append(sgFilters, cpFilter)
+	}
+
+	securityGroups := []machineapi.AWSResourceReference{}
+	for _, filter := range sgFilters {
+		securityGroups = append(securityGroups, machineapi.AWSResourceReference{
+			Filters: []machineapi.Filter{filter},
+		})
+	}
 	securityGroupsIn := []machineapi.AWSResourceReference{}
 	for _, sgID := range in.securityGroupIDs {
 		sgID := sgID
@@ -223,17 +251,24 @@ func provider(in *machineProviderInput) (*machineapi.AWSMachineProviderConfig, e
 		SecurityGroups:    securityGroups,
 	}
 
-	subnetName := fmt.Sprintf("%s-private-%s", in.clusterID, in.zone)
+	visibility := "private"
 	if in.publicSubnet {
 		config.PublicIP = pointer.Bool(in.publicSubnet)
-		subnetName = fmt.Sprintf("%s-public-%s", in.clusterID, in.zone)
+		visibility = "public"
+	}
+
+	subnetFilters := []machineapi.Filter{
+		{
+			Name: "tag:Name",
+			Values: []string{
+				fmt.Sprintf("%s-%s-%s", in.clusterID, visibility, in.zone),
+				fmt.Sprintf("%s-subnet-%s-%s", in.clusterID, visibility, in.zone), // legacy Terraform config, remove with Terraform
+			},
+		},
 	}
 
 	if in.subnet == "" {
-		config.Subnet.Filters = []machineapi.Filter{{
-			Name:   "tag:Name",
-			Values: []string{subnetName},
-		}}
+		config.Subnet.Filters = subnetFilters
 	} else {
 		config.Subnet.ID = pointer.String(in.subnet)
 	}