diff --git a/internal/cli/command/controlplane/utils.go b/internal/cli/command/controlplane/utils.go
index 4f75ac0f..9807bf94 100644
--- a/internal/cli/command/controlplane/utils.go
+++ b/internal/cli/command/controlplane/utils.go
@@ -165,13 +165,19 @@ func getImageMetadata(cpContext *cpContext, values map[string]interface{}, write
 
 	awsAccessKeyID := ""
 	if values["provider"] == providerEc2 || imageMeta.Custom.CredentialType == "aws" {
-		profile := "default"
+		profile := ""
 		assumeRole := ""
 		if v, ok := values["providerConfig"]; ok {
 			providerConfig := cast.ToStringMap(v)
 			profile = cast.ToString(providerConfig["profile"])
 			assumeRole = cast.ToString(providerConfig["assume_role"])
 		}
+		if envProfile, ok := os.LookupEnv("AWS_PROFILE"); ok {
+			if profile != "" {
+				log.Warnf("AWS profile `%s` in the providerConfig is overridden to `%s` by AWS_PROFILE env var explicitly", profile, envProfile)
+			}
+			profile = envProfile
+		}
 		log.Debug("using local AWS credentials")
 		id, creds, err := input.GetAmazonCredentials(profile, assumeRole)
 		if err != nil {
diff --git a/internal/cli/input/secret.go b/internal/cli/input/secret.go
index e2f1f0eb..53e17829 100644
--- a/internal/cli/input/secret.go
+++ b/internal/cli/input/secret.go
@@ -96,7 +96,7 @@ func GetAmazonCredentials(profile string, assumeRole string) (string, map[string
 	// use direct auth based on exported env vars
 	if id, ok := os.LookupEnv("AWS_ACCESS_KEY_ID"); ok {
 		if profile != "" {
-			log.Warnf("AWS profile %s is overridden by access key id %s explicitly", profile, id)
+			log.Warnf("AWS profile `%s` is overridden to `%s` by AWS_ACCESS_KEY_ID env var explicitly", profile, id)
 		}
 		sess, err = session.NewSession(&aws.Config{})
 	} else {