diff --git a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts
index e802e4e770e50..7fe12005051dc 100644
--- a/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts
+++ b/packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/cluster-resource-handler/cluster.ts
@@ -218,6 +218,18 @@ export class ClusterResourceHandler extends ResourceHandler {
       }
 
       if (updates.updateAuthMode) {
+        // update-authmode will fail if we try to update to the same mode,
+        // so skip in this case.
+        try {
+          const cluster = (await this.eks.describeCluster({ name: this.clusterName })).cluster;
+          if (cluster?.accessConfig?.authenticationMode === this.newProps.accessConfig?.authenticationMode) {
+            console.log(`cluster already at ${cluster?.accessConfig?.authenticationMode}, skipping authMode update`);
+            return;
+          }
+        } catch (e: any) {
+          throw e;
+        }
+
         // the update path must be
         // `undefined or CONFIG_MAP` -> `API_AND_CONFIG_MAP` -> `API`
         // and it's one way path.
@@ -247,17 +259,6 @@ export class ClusterResourceHandler extends ResourceHandler {
           this.newProps.accessConfig?.authenticationMode === 'API') {
           throw new Error('Cannot update from CONFIG_MAP to API');
         }
-        // update-authmode will fail if we try to update to the same mode,
-        // so skip in this case.
-        try {
-          const cluster = (await this.eks.describeCluster({ name: this.clusterName })).cluster;
-          if (cluster?.accessConfig?.authenticationMode === this.newProps.accessConfig?.authenticationMode) {
-            console.log(`cluster already at ${cluster?.accessConfig?.authenticationMode}, skipping authMode update`);
-            return;
-          }
-        } catch (e: any) {
-          throw e;
-        }
         config.accessConfig = this.newProps.accessConfig;
       }
 
diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts
index 2c76acfb415bf..5c65a471f87a9 100644
--- a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts
+++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-handler-mocks.ts
@@ -90,6 +90,7 @@ export const client: EksClient = {
         arn: 'arn:cluster-arn',
         certificateAuthority: { data: 'certificateAuthority-data' },
         endpoint: 'http://endpoint',
+        accessConfig: { authenticationMode: 'CONFIG_MAP' },
         status: simulateResponse.describeClusterResponseMockStatus || 'ACTIVE',
       },
     };
diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts
index a7e49575ee0d4..8b012cec1e03d 100644
--- a/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts
+++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-eks/cluster-resource-provider.test.ts
@@ -590,21 +590,6 @@ describe('cluster resource provider', () => {
 
           expect(error.message).toEqual('Cannot fallback authenticationMode from defined to undefined');
         });
-        test('fails from API_AND_CONFIG_MAP to CONFIG_MAP', async () => {
-          const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', {
-            accessConfig: { authenticationMode: 'CONFIG_MAP' },
-          }, {
-            accessConfig: { authenticationMode: 'API_AND_CONFIG_MAP' },
-          }));
-          let error: any;
-          try {
-            await handler.onEvent();
-          } catch (e) {
-            error = e;
-          }
-
-          expect(error.message).toEqual('Cannot fallback authenticationMode from API_AND_CONFIG_MAP to CONFIG_MAP');
-        });
         test('fails from API to undefined', async () => {
           const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', {
             accessConfig: { authenticationMode: undefined },
@@ -635,21 +620,6 @@ describe('cluster resource provider', () => {
 
           expect(error.message).toEqual('Cannot fallback authenticationMode from API to API_AND_CONFIG_MAP');
         });
-        test('fails from API to CONFIG_MAP', async () => {
-          const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', {
-            accessConfig: { authenticationMode: 'CONFIG_MAP' },
-          }, {
-            accessConfig: { authenticationMode: 'API' },
-          }));
-          let error: any;
-          try {
-            await handler.onEvent();
-          } catch (e) {
-            error = e;
-          }
-
-          expect(error.message).toEqual('Cannot fallback authenticationMode from API to CONFIG_MAP');
-        });
         test('fails from undefined to API', async () => {
           const handler = new ClusterResourceHandler(mocks.client, mocks.newRequest('Update', {
             accessConfig: { authenticationMode: 'API' },