diff --git a/packages/aws-cdk-lib/aws-lambda/README.md b/packages/aws-cdk-lib/aws-lambda/README.md
index 6cb5a4244dede..42a40618dbe00 100644
--- a/packages/aws-cdk-lib/aws-lambda/README.md
+++ b/packages/aws-cdk-lib/aws-lambda/README.md
@@ -558,6 +558,8 @@ new lambda.LayerVersion(this, 'MyLayer', {
 });
 ```
 
+The `addPermission()` function can be used to allow access to the layer version from other AWS accounts or AWS Organizations. You can also specify `removalPolicy: RemovalPolicy.RETAIN` as part of the LayerVersionPermission. That way when new layers versions are creatd, old versions remain accessable from other acconts. 
+
 ## Architecture
 
 Lambda functions, by default, run on compute systems that have the 64 bit x86 architecture.
diff --git a/packages/aws-cdk-lib/aws-lambda/lib/layers.ts b/packages/aws-cdk-lib/aws-lambda/lib/layers.ts
index 8fa00ec929949..09651f119b4da 100644
--- a/packages/aws-cdk-lib/aws-lambda/lib/layers.ts
+++ b/packages/aws-cdk-lib/aws-lambda/lib/layers.ts
@@ -101,12 +101,16 @@ abstract class LayerVersionBase extends Resource implements ILayerVersion {
       throw new Error(`OrganizationId can only be specified if AwsAccountId is '*', but it is ${permission.accountId}`);
     }
 
-    new CfnLayerVersionPermission(this, id, {
+    const cfnLayerVersionPermission = new CfnLayerVersionPermission(this, id, {
       action: 'lambda:GetLayerVersion',
       layerVersionArn: this.layerVersionArn,
       principal: permission.accountId,
       organizationId: permission.organizationId,
     });
+
+    if (permission.removalPolicy != null) {
+      cfnLayerVersionPermission.applyRemovalPolicy(permission.removalPolicy);
+    }
   }
 }
 
@@ -126,6 +130,14 @@ export interface LayerVersionPermission {
    * Can only be specified if ``accountId`` is ``'*'``
    */
   readonly organizationId?: string;
+
+  /**
+   * Whether to retain this permission when a new version is added
+   * or when the stack is deleted.
+   *
+   * @default null
+   */
+  readonly removalPolicy?: RemovalPolicy;
 }
 
 /**
diff --git a/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts b/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts
index 47386596cebe2..bec14b5f3d4aa 100644
--- a/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts
+++ b/packages/aws-cdk-lib/aws-lambda/test/layers.test.ts
@@ -41,6 +41,7 @@ describe('layers', () => {
     // WHEN
     layer.addPermission('GrantUsage-123456789012', { accountId: '123456789012' });
     layer.addPermission('GrantUsage-o-123456', { accountId: '*', organizationId: 'o-123456' });
+    layer.addPermission('GrantUsage-o-011235', { accountId: '*', organizationId: 'o-011235', removalPolicy: cdk.RemovalPolicy.RETAIN });
 
     // THEN
     Template.fromStack(stack).hasResourceProperties('AWS::Lambda::LayerVersionPermission', {
@@ -54,6 +55,16 @@ describe('layers', () => {
       Principal: '*',
       OrganizationId: 'o-123456',
     });
+    Template.fromStack(stack).hasResource('AWS::Lambda::LayerVersionPermission', {
+      Properties: {
+        Action: 'lambda:GetLayerVersion',
+        LayerVersionArn: stack.resolve(layer.layerVersionArn),
+        Principal: '*',
+        OrganizationId: 'o-011235',
+      },
+      UpdateReplacePolicy: cdk.CfnDeletionPolicy.RETAIN,
+      DeletionPolicy: cdk.CfnDeletionPolicy.RETAIN,
+    });
   });
 
   test('creating a layer with no runtimes compatible', () => {