diff --git a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
index 049de10431..1c91b1486a 100644
--- a/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
+++ b/cmd/clusterawsadm/cloudformation/bootstrap/cluster_api_controller.go
@@ -409,6 +409,20 @@ func (t Template) ControllersPolicyEKS() *iamv1.PolicyDocument {
 		})
 	}
 
+	if !t.Spec.EKS.ManagedMachinePool.Disable {
+		statements = append(statements, iamv1.StatementEntry{
+			Action: iamv1.Actions{
+				"iam:GetPolicy",
+			},
+			Resource: iamv1.Resources{
+				"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+				"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+				"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+			},
+			Effect: iamv1.EffectAllow,
+		})
+	}
+
 	statements = append(statements, []iamv1.StatementEntry{
 		{
 			Action: allowedIAMActions,