diff --git a/pkg/model/iam.go b/pkg/model/iam.go
index f371b6d13ba8b..575b3e66478ab 100644
--- a/pkg/model/iam.go
+++ b/pkg/model/iam.go
@@ -18,6 +18,7 @@ package model
 
 import (
 	"fmt"
+	"sort"
 	"strings"
 
 	"k8s.io/klog/v2"
@@ -254,6 +255,7 @@ func (b *IAMModelBuilder) buildIAMTasks(role iam.Subject, iamName string, c *fi.
 				p := *(b.Cluster.Spec.ExternalPolicies)
 				externalPolicies = append(externalPolicies, p[roleKey]...)
 			}
+			sort.Strings(externalPolicies)
 
 			name := fmt.Sprintf("%s-policyoverride", roleKey)
 			t := &awstasks.IAMRolePolicy{
diff --git a/upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go b/upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go
index 6261400d2ed35..c09da28bd2ad0 100644
--- a/upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go
+++ b/upup/pkg/fi/cloudup/awstasks/iamrolepolicy.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"hash/fnv"
 	"net/url"
+	"sort"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
@@ -76,6 +77,7 @@ func (e *IAMRolePolicy) Find(c *fi.Context) (*IAMRolePolicy, error) {
 				policies = append(policies, aws.StringValue(policy.PolicyArn))
 			}
 		}
+		sort.Strings(policies)
 
 		actual.ID = e.ID
 		actual.Name = e.Name