diff --git a/pkg/model/master_volumes.go b/pkg/model/master_volumes.go
index ec3d0a6dc4..ce6e84ee4b 100644
--- a/pkg/model/master_volumes.go
+++ b/pkg/model/master_volumes.go
@@ -130,6 +130,9 @@ func (b *MasterVolumeBuilder) addAWSVolume(c *fi.ModelBuilderContext, name strin
 	// This says "only mount on a master"
 	tags[awsup.TagNameRolePrefix+"master"] = "1"
 
+	// We always add an owned tags (these can't be shared)
+	tags["kubernetes.io/cluster/"+b.Cluster.ObjectMeta.Name] = "owned"
+
 	encrypted := fi.BoolValue(m.EncryptedVolume)
 
 	t := &awstasks.EBSVolume{
diff --git a/upup/pkg/fi/cloudup/awstasks/ebsvolume.go b/upup/pkg/fi/cloudup/awstasks/ebsvolume.go
index 553e14d39b..e84bcead1f 100644
--- a/upup/pkg/fi/cloudup/awstasks/ebsvolume.go
+++ b/upup/pkg/fi/cloudup/awstasks/ebsvolume.go
@@ -19,6 +19,7 @@ package awstasks
 import (
 	"fmt"
 
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/golang/glog"
 	"k8s.io/kops/upup/pkg/fi"
@@ -141,6 +142,19 @@ func (_ *EBSVolume) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *EBSVolume) e
 			Encrypted:        e.Encrypted,
 		}
 
+		if len(e.Tags) != 0 {
+			request.TagSpecifications = []*ec2.TagSpecification{
+				{ResourceType: aws.String(ec2.ResourceTypeVolume)},
+			}
+
+			for k, v := range e.Tags {
+				request.TagSpecifications[0].Tags = append(request.TagSpecifications[0].Tags, &ec2.Tag{
+					Key:   aws.String(k),
+					Value: aws.String(v),
+				})
+			}
+		}
+
 		response, err := t.Cloud.EC2().CreateVolume(request)
 		if err != nil {
 			return fmt.Errorf("error creating PersistentVolume: %v", err)