diff --git a/README.md b/README.md
index f0bbb49..0c84d65 100644
--- a/README.md
+++ b/README.md
@@ -215,6 +215,9 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="allow_cross_account_lambda_read_access"></a> [allow\_cross\_account\_lambda\_read\_access](#input\_cross\_account\_lambda\_read\_access) | Determines whether the repository policy will allow cross account lambda read access. Required `cross_account_ids`, `cross_account_read_access_lambda_arns` | `bool` | `false` | no |
+| <a name="cross_account_account_ids"></a> [cross\_account\_ids](#input\_cross\_account\_ids) | Cross account ids. Required `allow_cross_account_lambda_read_access`, `cross_account_read_access_lambda_arns` | `list(str)` | `[]` | no |
+| <a name="cross_account_read_access_lambda_arns"></a> [cross\_account\_read\_access\_lambda\_arns](#input\_cross\_account\_read\_access\_lambda\_arns) | Cross account lambda function arns. Required `allow_cross_account_lambda_read_access`, `cross_account_ids` | `list(str)` | `[]` | no |
 | <a name="input_attach_repository_policy"></a> [attach\_repository\_policy](#input\_attach\_repository\_policy) | Determines whether a repository policy will be attached to the repository | `bool` | `true` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_lifecycle_policy"></a> [create\_lifecycle\_policy](#input\_create\_lifecycle\_policy) | Determines whether a lifecycle policy will be created | `bool` | `true` | no |
@@ -234,7 +237,8 @@ No modules.
 | <a name="input_repository_image_scan_on_push"></a> [repository\_image\_scan\_on\_push](#input\_repository\_image\_scan\_on\_push) | Indicates whether images are scanned after being pushed to the repository (`true`) or not scanned (`false`) | `bool` | `true` | no |
 | <a name="input_repository_image_tag_mutability"></a> [repository\_image\_tag\_mutability](#input\_repository\_image\_tag\_mutability) | The tag mutability setting for the repository. Must be one of: `MUTABLE` or `IMMUTABLE`. Defaults to `IMMUTABLE` | `string` | `"IMMUTABLE"` | no |
 | <a name="input_repository_kms_key"></a> [repository\_kms\_key](#input\_repository\_kms\_key) | The ARN of the KMS key to use when encryption\_type is `KMS`. If not specified, uses the default AWS managed key for ECR | `string` | `null` | no |
-| <a name="input_repository_lambda_read_access_arns"></a> [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | The ARNs of the Lambda service roles that have read access to the repository | `list(string)` | `[]` | no |
+| <a name="input_repository_lambda_read_access"></a> [repository\_lambda\_read\_access](#input\_repository\_lambda\_read\_access) | Determines whether the repository policy will allow read access to the repository for all lambda functions in the account | `bool` | `false` | no |
+| <a name="input_repository_lambda_read_access_arns"></a> [repository\_lambda\_read\_access\_arns](#input\_repository\_lambda\_read\_access\_arns) | Deprecated. Use `repository_lambda_read_access` instead | `list(string)` | `[]` | no |
 | <a name="input_repository_lifecycle_policy"></a> [repository\_lifecycle\_policy](#input\_repository\_lifecycle\_policy) | The policy document. This is a JSON formatted string. See more details about [Policy Parameters](http://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html#lifecycle_policy_parameters) in the official AWS docs | `string` | `""` | no |
 | <a name="input_repository_name"></a> [repository\_name](#input\_repository\_name) | The name of the repository | `string` | `""` | no |
 | <a name="input_repository_policy"></a> [repository\_policy](#input\_repository\_policy) | The JSON policy to apply to the repository. If not specified, uses the default policy | `string` | `null` | no |
diff --git a/main.tf b/main.tf
index 2b707d5..ddc530a 100644
--- a/main.tf
+++ b/main.tf
@@ -64,7 +64,7 @@ data "aws_iam_policy_document" "repository" {
 
 
   dynamic "statement" {
-    for_each = var.repository_type == "private" && length(var.repository_lambda_read_access_arns) > 0 ? [1] : []
+    for_each = var.repository_type == "private" && (var.repository_lambda_read_access || length(var.repository_lambda_read_access_arns) > 0) ? [1] : []
 
     content {
       sid = "PrivateLambdaReadOnly"
@@ -79,13 +79,66 @@ data "aws_iam_policy_document" "repository" {
         "ecr:GetDownloadUrlForLayer",
       ]
 
+    }
+  }
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && (var.repository_lambda_read_access || length(var.repository_lambda_read_access_arns) > 0) ? [1] : []
+
+    content {
+      sid = "PrivateLambdaReadOnly"
+
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
+    }
+  }
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && (var.allow_cross_account_lambda_read_access || length(var.cross_account_ids) > 0) ? [1] : []
+
+    content {
+      sid    = "CrossAccountPermission"
+      effect = "Allow"
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
+      principals {
+        type        = "AWS"
+        identifiers = [for s in var.cross_account_ids : "arn:aws:iam::${s}:root"]
+      }
+    }
+  }
+  dynamic "statement" {
+    for_each = var.repository_type == "private" && (var.allow_cross_account_lambda_read_access || length(var.cross_account_read_access_lambda_arns) > 0) ? [1] : []
+
+    content {
+      sid    = "LambdaECRImageCrossAccountRetrievalPolicy"
+      effect = "Allow"
+
+      actions = [
+        "ecr:BatchGetImage",
+        "ecr:GetDownloadUrlForLayer",
+      ]
+
       condition {
         test     = "StringLike"
-        variable = "aws:sourceArn"
-
-        values = var.repository_lambda_read_access_arns
+        variable = "aws:sourceARN"
+        values   = var.cross_account_read_access_lambda_arns
       }
 
+      principals {
+        type        = "Service"
+        identifiers = ["lambda.amazonaws.com"]
+      }
     }
   }
 
diff --git a/variables.tf b/variables.tf
index f3eb525..41aa2c1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -90,11 +90,31 @@ variable "repository_read_access_arns" {
   default     = []
 }
 
-variable "repository_lambda_read_access_arns" {
-  description = "The ARNs of the Lambda service roles that have read access to the repository"
+variable "repository_lambda_read_access" {
+  description = "Determines whether the repository policy will allow read access to the repository for all lambda functions in the account"
+  type        = bool
+  default     = false
+}
+variable "allow_cross_account_lambda_read_access" {
+  description = "Determines whether the repository policy will allow cross account lambda read access. Required `cross_account_ids`, `cross_account_read_access_lambda_arns`"
+  type        = bool
+  default     = false
+}
+variable "cross_account_ids" {
+  description = "Cross account ids. Required `allow_cross_account_lambda_read_access`, `cross_account_read_access_lambda_arns`"
+  type        = list(string)
+  default     = []
+}
+variable "cross_account_read_access_lambda_arns" {
+  description = "Cross account lambda function arns. Required `allow_cross_account_lambda_read_access`, `cross_account_ids`"
   type        = list(string)
   default     = []
 }
+variable "repository_lambda_read_access_arns" {
+  description = "Deprecated. Use `repository_lambda_read_access` instead"
+  type        = []
+  default     = list(string)
+}
 
 variable "repository_read_write_access_arns" {
   description = "The ARNs of the IAM users/roles that have read/write access to the repository"