diff --git a/.github/workflows/generate-sbom-terragrunt-apply.yml b/.github/workflows/generate-sbom-terragrunt-apply.yml
index ea87a659..286e428a 100644
--- a/.github/workflows/generate-sbom-terragrunt-apply.yml
+++ b/.github/workflows/generate-sbom-terragrunt-apply.yml
@@ -15,6 +15,7 @@ env:
   CONFTEST_VERSION: 0.27.0
   TERRAFORM_VERSION: 1.1.9
   TERRAGRUNT_VERSION: 0.36.7
+  TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
   TF_INPUT: false
 
 permissions:
diff --git a/.github/workflows/generate-sbom-terragrunt-plan.yml b/.github/workflows/generate-sbom-terragrunt-plan.yml
index 9e4979ff..4be0ca44 100644
--- a/.github/workflows/generate-sbom-terragrunt-plan.yml
+++ b/.github/workflows/generate-sbom-terragrunt-plan.yml
@@ -14,6 +14,7 @@ env:
   CONFTEST_VERSION: 0.27.0
   TERRAFORM_VERSION: 1.1.9
   TERRAGRUNT_VERSION: 0.36.7
+  TF_VAR_aws_org_id: ${{ secrets.AWS_ORG_ID }}
   TF_INPUT: false
 
 permissions:
diff --git a/terragrunt/aws/generate_sbom/ecr.tf b/terragrunt/aws/generate_sbom/ecr.tf
index 9a1788dd..2eda2a64 100644
--- a/terragrunt/aws/generate_sbom/ecr.tf
+++ b/terragrunt/aws/generate_sbom/ecr.tf
@@ -1,18 +1,47 @@
-resource "aws_ecr_repository" "generate_sbom" {
-  name                 = "${var.product_name}/generate_sbom/trivy"
-  image_tag_mutability = "MUTABLE"
-
-  image_scanning_configuration {
-    scan_on_push = true
-  }
-
-  encryption_configuration {
-    encryption_type = "KMS"
-  }
-
+resource "aws_ecrpublic_repository" "generate_sbom_public" {
+  provider        = aws.us-east-1
+  repository_name = "${var.product_name}/generate_sbom/trivy"
   tags = {
     (var.billing_tag_key) = var.billing_tag_value
     Terraform             = true
     Product               = "${var.product_name}-${var.tool_name}"
   }
-}
\ No newline at end of file
+}
+data "aws_iam_policy_document" "sbom_public_policy_document" {
+  provider = aws.us-east-1
+  statement {
+    sid    = "sbom_public_policy"
+    effect = "Allow"
+
+
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    actions = [
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:BatchDeleteImage",
+      "ecr:BatchGetImage",
+      "ecr:CompleteLayerUpload",
+      "ecr:DescribeImages",
+      "ecr:DescribeRepositories",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:InitiateLayerUpload",
+      "ecr:ListImages",
+      "ecr:PutImage",
+      "ecr:SetRepositoryPolicy",
+      "ecr:UploadLayerPart"
+    ]
+    condition {
+      test     = "StringEquals"
+      variable = "aws:PrincipalOrgID"
+      values   = [var.aws_org_id]
+    }
+  }
+}
+resource "aws_ecrpublic_repository_policy" "sbom_public_policy" {
+  provider        = aws.us-east-1
+  repository_name = aws_ecrpublic_repository.generate_sbom_public.repository_name
+  policy          = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json)
+}
diff --git a/terragrunt/aws/generate_sbom/inputs.tf b/terragrunt/aws/generate_sbom/inputs.tf
new file mode 100644
index 00000000..88235c48
--- /dev/null
+++ b/terragrunt/aws/generate_sbom/inputs.tf
@@ -0,0 +1,5 @@
+variable "aws_org_id" {
+  description = "The AWS org account ID.  Used to limit which accounts can access the public repository."
+  type        = string
+  sensitive   = true
+}