diff --git a/internal/service/ec2/vpc_default_security_group.go b/internal/service/ec2/vpc_default_security_group.go
index 1bbdfd62994d..916ecae5d066 100644
--- a/internal/service/ec2/vpc_default_security_group.go
+++ b/internal/service/ec2/vpc_default_security_group.go
@@ -194,7 +194,8 @@ func ResourceDefaultSecurityGroup() *schema.Resource {
 func resourceDefaultSecurityGroupCreate(d *schema.ResourceData, meta interface{}) error {
 	conn := meta.(*conns.AWSClient).EC2Conn
 	defaultTagsConfig := meta.(*conns.AWSClient).DefaultTagsConfig
-	tags := defaultTagsConfig.MergeTags(tftags.New(d.Get("tags").(map[string]interface{})))
+	ignoreTagsConfig := meta.(*conns.AWSClient).IgnoreTagsConfig
+
 	securityGroupOpts := &ec2.DescribeSecurityGroupsInput{
 		Filters: []*ec2.Filter{
 			{
@@ -248,9 +249,12 @@ func resourceDefaultSecurityGroupCreate(d *schema.ResourceData, meta interface{}
 
 	log.Printf("[INFO] Default Security Group ID: %s", d.Id())
 
-	if len(tags) > 0 {
-		if err := CreateTags(conn, d.Id(), tags); err != nil {
-			return fmt.Errorf("error adding EC2 Default Security Group (%s) tags: %w", d.Id(), err)
+	oTagsAll := KeyValueTags(g.Tags).IgnoreAWS().IgnoreConfig(ignoreTagsConfig)
+	nTagsAll := defaultTagsConfig.MergeTags(tftags.New(d.Get("tags").(map[string]interface{})))
+
+	if !nTagsAll.Equal(oTagsAll) {
+		if err := UpdateTags(conn, d.Id(), oTagsAll.Map(), nTagsAll.Map()); err != nil {
+			return fmt.Errorf("updating Default Security Group (%s) tags: %w", d.Id(), err)
 		}
 	}
 
diff --git a/internal/service/ec2/vpc_default_security_group_test.go b/internal/service/ec2/vpc_default_security_group_test.go
index 3fc0d88d85c1..54e836d1a2e2 100644
--- a/internal/service/ec2/vpc_default_security_group_test.go
+++ b/internal/service/ec2/vpc_default_security_group_test.go
@@ -148,11 +148,6 @@ func TestAccVPCDefaultSecurityGroup_Classic_basic(t *testing.T) {
 }
 
 func TestAccVPCDefaultSecurityGroup_Classic_empty(t *testing.T) {
-
-	acctest.Skip(t, "This resource does not currently clear tags when adopting the resource")
-	// Additional references:
-	//  * https://github.com/hashicorp/terraform-provider-aws/issues/14631
-
 	var group ec2.SecurityGroup
 	resourceName := "aws_default_security_group.test"
 
@@ -168,6 +163,7 @@ func TestAccVPCDefaultSecurityGroup_Classic_empty(t *testing.T) {
 					testAccCheckDefaultSecurityGroupClassicExists(resourceName, &group),
 					resource.TestCheckResourceAttr(resourceName, "ingress.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "egress.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
 		},
@@ -304,13 +300,10 @@ resource "aws_default_security_group" "test" {
 }
 
 func testAccVPCDefaultSecurityGroupConfig_classicEmpty() string {
-	return acctest.ConfigCompose(
-		acctest.ConfigEC2ClassicRegionProvider(),
-		`
+	return acctest.ConfigCompose(acctest.ConfigEC2ClassicRegionProvider(), `
 resource "aws_default_security_group" "test" {
   # No attributes set.
-}
-`)
+}`)
 }
 
 func TestDefaultSecurityGroupMigrateState(t *testing.T) {