diff --git a/pkg/cloud/aws/aws_config_transformer.go b/pkg/cloud/aws/aws_config_transformer.go
index 2caf36ff9..953229a01 100644
--- a/pkg/cloud/aws/aws_config_transformer.go
+++ b/pkg/cloud/aws/aws_config_transformer.go
@@ -83,4 +83,9 @@ func setOpenShiftDefaults(cfg *awsconfig.CloudConfig) {
 		// health check endpoint served by OVN.
 		cfg.Global.ClusterServiceLoadBalancerHealthProbeMode = "Shared"
 	}
+	if cfg.Global.NLBSecurityGroupMode != awsconfig.NLBSecurityGroupModeManaged {
+		// OpenShift enforces security group by default when deploying
+		// service type loadbalancer NLB.
+		cfg.Global.NLBSecurityGroupMode = awsconfig.NLBSecurityGroupModeManaged
+	}
 }
diff --git a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go
index efae450ed..5873c62da 100644
--- a/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go
+++ b/vendor/k8s.io/cloud-provider-aws/pkg/providers/v1/config/config.go
@@ -17,6 +17,12 @@ const (
 
 	// ClusterServiceLoadBalancerHealthProbeModeServiceNodePort is the service node port health probe mode for cluster service load balancer.
 	ClusterServiceLoadBalancerHealthProbeModeServiceNodePort = "ServiceNodePort"
+
+	// NLBSecurityGroupModeManaged indicates the controller is managing security groups on service type loadbalancer NLB.
+	NLBSecurityGroupModeManaged = "Managed"
+
+	// NLBSecurityGroupModeUnmanaged indicates the controller is not managing security groups on service type loadbalancer NLB.
+	NLBSecurityGroupModeUnmanaged = "Unmanaged"
 )
 
 // CloudConfig wraps the settings for the AWS cloud provider.
@@ -83,6 +89,10 @@ type CloudConfig struct {
 
 		// ClusterServiceSharedLoadBalancerHealthProbePath defines the target path of the shared health probe. Default to `/healthz`.
 		ClusterServiceSharedLoadBalancerHealthProbePath string `json:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty" yaml:"clusterServiceSharedLoadBalancerHealthProbePath,omitempty"`
+
+		// NLBSecurityGroupMode determines if the controller manage, creates and attaches, the security group when the service type
+		// loadbalancer NLB is created.
+		NLBSecurityGroupMode string `json:"nlbSecurityGroupMode,omitempty" yaml:"nlbSecurityGroupMode,omitempty"`
 	}
 	// [ServiceOverride "1"]
 	//  Service = s3