diff --git a/codebuild/main.tf b/codebuild/main.tf
index c333217..2c40dbc 100644
--- a/codebuild/main.tf
+++ b/codebuild/main.tf
@@ -212,6 +212,8 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
       "sns:SetTopicAttributes",
       "sns:Subscribe",
       "sns:Unsubscribe",
+      "sns:GetSubscriptionAttributes",
+      "sns:ListSubscriptionsByTopic",
       "sns:TagResource",
     ]
     resources = [
@@ -290,6 +292,42 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
       "arn:${data.aws_partition.current.partition}:s3:::csvd-dev-ew-github-actions/*",
     ]
   }
+
+  # ── ECR (image clone / repository management) ─────────────────────────────
+  statement {
+    sid    = "ECRToken"
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "ECRRepositories"
+    effect = "Allow"
+    actions = [
+      "ecr:DescribeRepositories",
+      "ecr:CreateRepository",
+      "ecr:DeleteRepository",
+      "ecr:GetRepositoryPolicy",
+      "ecr:SetRepositoryPolicy",
+      "ecr:DeleteRepositoryPolicy",
+      "ecr:ListTagsForResource",
+      "ecr:TagResource",
+      "ecr:UntagResource",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:PutImage",
+    ]
+    resources = [
+      "arn:${data.aws_partition.current.partition}:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/*",
+    ]
+  }
 }
 
 # ── Module call ───────────────────────────────────────────────────────────────