diff --git a/README.md b/README.md
index 4ed76918a9..dddacf4b8b 100644
--- a/README.md
+++ b/README.md
@@ -168,6 +168,7 @@ MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-a
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | attach\_worker\_cni\_policy | Whether to attach the Amazon managed `AmazonEKS_CNI_Policy` IAM policy to the default worker IAM role. WARNING: If set `false` the permissions must be assigned to the `aws-node` DaemonSet pods via another method or nodes will not be able to join the cluster. | `bool` | `true` | no |
+| aws\_auth\_additional\_labels | Additionnal kubernetes labels applied on aws-auth ConfigMap | `map(string)` | `{}` | no |
 | cluster\_create\_endpoint\_private\_access\_sg\_rule | Whether to create security group rules for the access to the Amazon EKS private API server endpoint. | `bool` | `false` | no |
 | cluster\_create\_security\_group | Whether to create a security group for the cluster or attach the cluster to `cluster_security_group_id`. | `bool` | `true` | no |
 | cluster\_create\_timeout | Timeout value when creating the EKS cluster. | `string` | `"30m"` | no |
diff --git a/aws_auth.tf b/aws_auth.tf
index a4d9211288..aa4cf482ef 100644
--- a/aws_auth.tf
+++ b/aws_auth.tf
@@ -67,6 +67,15 @@ resource "kubernetes_config_map" "aws_auth" {
   metadata {
     name      = "aws-auth"
     namespace = "kube-system"
+    labels = merge(
+      {
+        "app.kubernetes.io/managed-by" = "Terraform"
+        # / are replaced by . because label validator fails in this lib 
+        # https://github.com/kubernetes/apimachinery/blob/1bdd76d09076d4dc0362456e59c8f551f5f24a72/pkg/util/validation/validation.go#L166
+        "terraform.io/module" = "terraform-aws-modules.eks.aws"
+      },
+      var.aws_auth_additional_labels
+    )
   }
 
   data = {
diff --git a/variables.tf b/variables.tf
index dce05e123a..051d3b1d5a 100644
--- a/variables.tf
+++ b/variables.tf
@@ -47,6 +47,12 @@ variable "manage_aws_auth" {
   default     = true
 }
 
+variable "aws_auth_additional_labels" {
+  description = "Additionnal kubernetes labels applied on aws-auth ConfigMap"
+  default     = {}
+  type        = map(string)
+}
+
 variable "map_accounts" {
   description = "Additional AWS account numbers to add to the aws-auth configmap. See examples/basic/variables.tf for example format."
   type        = list(string)