diff --git a/packages/cdk/lib/cloudquery/index.ts b/packages/cdk/lib/cloudquery/index.ts
index d3e7205eb..289e30a79 100644
--- a/packages/cdk/lib/cloudquery/index.ts
+++ b/packages/cdk/lib/cloudquery/index.ts
@@ -28,7 +28,12 @@ import {
 	snykSourceConfig,
 } from './config';
 import { Images } from './images';
-import { cloudqueryAccess, listOrgsPolicy, readBucketPolicy } from './policies';
+import {
+	cloudqueryAccess,
+	listOrgsPolicy,
+	readBucketPolicy,
+	readDynamoDbTablePolicy,
+} from './policies';
 
 interface CloudqueryEcsClusterProps {
 	vpc: IVpc;
@@ -620,6 +625,15 @@ export function addCloudqueryEcsCluster(
 				'packages-bucket-name',
 			),
 		},
+		policies: [
+			readDynamoDbTablePolicy(
+				GuardianAwsAccounts.DeployTools,
+				'{BASE_IMAGES_TABLE_NAME}',
+				'{RECIPES_TABLE_NAME}',
+				'{BAKES_TABLE_NAME}',
+			),
+			readBucketPolicy('arn:aws:s3:::${PACKAGES_BUCKET_NAME}/packagelists/*'),
+		],
 	};
 
 	return new CloudqueryCluster(scope, `${app}Cluster`, {
diff --git a/packages/cdk/lib/cloudquery/policies.ts b/packages/cdk/lib/cloudquery/policies.ts
index 7b1d85657..5bb3fdaff 100644
--- a/packages/cdk/lib/cloudquery/policies.ts
+++ b/packages/cdk/lib/cloudquery/policies.ts
@@ -36,6 +36,32 @@ export const readBucketPolicy = (...resources: string[]): PolicyStatement => {
 	});
 };
 
+/**
+ * Create a policy statement allowing read access to the given DynamoDB tables.
+ *
+ * @param accountId the AWS account ID
+ * @param tableNames a list of DynamoDB table names
+ * @returns a policy statement allowing read access to the given DynamoDB tables.
+ */
+export const readDynamoDbTablePolicy = (
+	accountId: string,
+	...tableNames: string[]
+): PolicyStatement => {
+	return new PolicyStatement({
+		effect: Effect.ALLOW,
+		// for each table name, create a resource ARN
+		resources: tableNames.map(
+			(tableName) => `arn:aws:dynamodb::${accountId}:table/${tableName}`,
+		),
+		actions: [
+			'dynamodb:GetItem',
+			'dynamodb:BatchGetItem',
+			'dynamodb:Query',
+			'dynamodb:Scan',
+		],
+	});
+};
+
 export function singletonPolicy(cluster: Cluster) {
 	return new PolicyStatement({
 		effect: Effect.ALLOW,