diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5f32308bfb..397c879639 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,9 +17,8 @@ env:
   # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
   # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
   # credentials have been provided before trying to run steps that need them.
-  CONTRIB_DOCKER_USR: ${{ secrets.CONTRIB_DOCKER_USR }}
+  SUJAY_DOCKER_USR: ${{ secrets.SUJAY_DOCKER_USR }}
   XPKG_ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }}
-  AWS_USR: ${{ secrets.AWS_USR }}
 
 jobs:
   detect-noop:
@@ -319,10 +318,10 @@ jobs:
       
       - name: Login to Docker
         uses: docker/login-action@v1
-        if: env.CONTRIB_DOCKER_USR != ''
+        if: env.SUJAY_DOCKER_USR != ''
         with:
-          username: ${{ secrets.CONTRIB_DOCKER_USR }}
-          password: ${{ secrets.CONTRIB_DOCKER_PSW }}
+          username: ${{ secrets.SUJAY_DOCKER_USR }}
+          password: ${{ secrets.SUJAY_DOCKER_PSW }}
       
       - name: Login to Upbound
         uses: docker/login-action@v1
@@ -332,20 +331,15 @@ jobs:
           username: ${{ secrets.XPKG_ACCESS_ID }}
           password: ${{ secrets.XPKG_TOKEN }}
  
-      - name: Publish Artifacts to S3 and Docker Hub
+      - name: Publish Artifacts to Docker Hub
         run: make -j2 publish BRANCH_NAME=${GITHUB_REF##*/}
-        if: env.AWS_USR != '' && env.CONTRIB_DOCKER_USR != ''
+        if: env.SUJAY_DOCKER_USR != ''
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
           GIT_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       
-      - name: Promote Artifacts in S3 and Docker Hub
-        if: github.ref == 'refs/heads/master' && env.AWS_USR != '' && env.CONTRIB_DOCKER_USR != ''
+      - name: Promote Artifacts in Docker Hub
+        if: github.ref == 'refs/heads/master' && env.SUJAY_DOCKER_USR != ''
         run: make -j2 promote
         env:
           BRANCH_NAME: master
           CHANNEL: master
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_USR }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_PSW }}
-        
diff --git a/.github/workflows/promote.yml b/.github/workflows/promote.yml
index a8767e60b2..7a84ab1c20 100644
--- a/.github/workflows/promote.yml
+++ b/.github/workflows/promote.yml
@@ -18,7 +18,7 @@ env:
   # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
   # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
   # credentials have been provided before trying to run steps that need them.
-  CONTRIB_DOCKER_USR: ${{ secrets.CONTRIB_DOCKER_USR }}
+  SUJAY_DOCKER_USR: ${{ secrets.SUJAY_DOCKER_USR }}
   AWS_USR: ${{ secrets.AWS_USR }}
 
 jobs:
@@ -41,13 +41,13 @@ jobs:
 
       - name: Login to Docker
         uses: docker/login-action@v1
-        if: env.CONTRIB_DOCKER_USR != ''
+        if: env.SUJAY_DOCKER_USR != ''
         with:
-          username: ${{ secrets.CONTRIB_DOCKER_USR }}
-          password: ${{ secrets.CONTRIB_DOCKER_PSW }}
+          username: ${{ secrets.SUJAY_DOCKER_USR }}
+          password: ${{ secrets.SUJAY_DOCKER_PSW }}
 
       - name: Promote Artifacts in S3 and Docker Hub
-        if: env.AWS_USR != '' && env.CONTRIB_DOCKER_USR != ''
+        if: env.AWS_USR != '' && env.SUJAY_DOCKER_USR != ''
         run: make -j2 promote BRANCH_NAME=${GITHUB_REF##*/}
         env:
           VERSION: ${{ github.event.inputs.version }}
diff --git a/Makefile b/Makefile
index ea01e0d69c..73f34c034e 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,7 @@
 
 PROJECT_NAME := provider-aws
 PROJECT_REPO := github.com/crossplane-contrib/$(PROJECT_NAME)
+DOCKER_REGISTRY := ssuman2
 
 PLATFORMS ?= linux_amd64 linux_arm64
 
@@ -61,10 +62,7 @@ IMAGES = provider-aws
 # ====================================================================================
 # Setup XPKG
 
-XPKG_REG_ORGS ?= xpkg.upbound.io/crossplane-contrib index.docker.io/crossplanecontrib
-# NOTE(hasheddan): skip promoting on xpkg.upbound.io as channel tags are
-# inferred.
-XPKG_REG_ORGS_NO_PROMOTE ?= xpkg.upbound.io/crossplane-contrib
+XPKG_REG_ORGS ?= index.docker.io/ssuman2
 XPKGS = provider-aws
 -include build/makelib/xpkg.mk
 
diff --git a/pkg/controller/rds/dbinstance/setup.go b/pkg/controller/rds/dbinstance/setup.go
index 91eddaf1c4..ddd5791aa9 100644
--- a/pkg/controller/rds/dbinstance/setup.go
+++ b/pkg/controller/rds/dbinstance/setup.go
@@ -30,6 +30,7 @@ import (
 	"github.com/crossplane-contrib/provider-aws/apis/v1alpha1"
 	aws "github.com/crossplane-contrib/provider-aws/pkg/clients"
 	dbinstance "github.com/crossplane-contrib/provider-aws/pkg/clients/rds"
+	svcutils "github.com/crossplane-contrib/provider-aws/pkg/controller/rds"
 	"github.com/crossplane-contrib/provider-aws/pkg/controller/rds/utils"
 	"github.com/crossplane-contrib/provider-aws/pkg/features"
 )
@@ -450,6 +451,15 @@ func (e *custom) isUpToDate(cr *svcapitypes.DBInstance, out *svcsdk.DescribeDBIn
 		cmpopts.IgnoreFields(svcapitypes.CustomDBInstanceParameters{}, "DeleteAutomatedBackups"),
 	)
 
+	// for tagging: at least one option must be added, modified, or removed.
+	tagsUpToDate, _ := svcutils.AreTagsUpToDate(e.client, cr.Spec.ForProvider.Tags, cr.Status.AtProvider.DBInstanceARN)
+	if !tagsUpToDate {
+		err := svcutils.UpdateTagsForResource(e.client, cr.Spec.ForProvider.Tags, cr.Status.AtProvider.DBInstanceARN)
+		if err != nil {
+			return true, aws.Wrap(err, errDescribe)
+		}
+	}
+
 	if diff == "" && !maintenanceWindowChanged && !backupWindowChanged && !versionChanged && !vpcSGsChanged && !dbParameterGroupChanged && !optionGroupChanged {
 		return true, nil
 	}