diff --git a/pkg/project/provider/aws.go b/pkg/project/provider/aws.go
index 6b0a0ebacd..61a35eb7fc 100644
--- a/pkg/project/provider/aws.go
+++ b/pkg/project/provider/aws.go
@@ -526,6 +526,37 @@ var steps = []bootstrapStep{
 	func(ctx context.Context, cfg aws.Config, data *AwsBootstrapData) error {
 		return nil
 	},
+
+	// Step: apply ECR lifecycle policy to clean up untagged images
+	func(ctx context.Context, cfg aws.Config, data *AwsBootstrapData) error {
+		ecrClient := ecr.NewFromConfig(cfg)
+		repoName := "sst-asset"
+
+		lifecyclePolicy := `{
+			"rules": [
+				{
+					"rulePriority": 1,
+					"description": "Expire untagged images pushed over 30 days ago",
+					"selection": {
+						"tagStatus": "untagged",
+						"countType": "sinceImagePushed",
+						"countUnit": "days",
+						"countNumber": 30
+					},
+					"action": {"type": "expire"}
+				}
+			]
+		}`
+
+		_, err := ecrClient.PutLifecyclePolicy(ctx, &ecr.PutLifecyclePolicyInput{
+			RepositoryName:      aws.String(repoName),
+			LifecyclePolicyText: aws.String(lifecyclePolicy),
+		})
+		if err != nil {
+			slog.Warn("failed to set ECR lifecycle policy", "error", err)
+		}
+		return nil
+	},
 }
 
 type AwsHome struct {