diff --git a/CHANGELOG.md b/CHANGELOG.md
index 86c319634..361123c79 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 - Increased the maximum `stride_for_norm_param_estimation` to 32 from 16 for the `OPERA_DIST_S1` job specification to handle models with a larger input size.
+- The hyp3-ci stack permission for JPL deployments were expanded to support deploying HyP3-based monitoring stacks:
+  - Listing CloudFormation stacks is now allowed.
+  - CloudFormation permissions were expanded to any region from just us-west-2.
+  - ECR actions are now allowed.
 
 ## [10.12.1]
 
diff --git a/README.md b/README.md
index 1ab2619ea..b4d6d320b 100644
--- a/README.md
+++ b/README.md
@@ -184,10 +184,7 @@ aws cloudformation deploy \
     --template-file cicd-stacks/JPL-deployment-policy-cf.yml
 ```
 
-*Warning: This stack should only be deployed once per AWS account. This stack also
-assumes you are only deploying into a single AWS Region. If you are deploying into
-multiple regions in the same AWS account, you'll need to adjust the IAM permissions
-that are limited to a single region.*
+*Warning: This stack should only be deployed once per AWS account.*
 
 Then open a [Cloud Team Service Desk](https://itsd-jira.jpl.nasa.gov/servicedesk/customer/portal/13)
 request for a service user account here:
diff --git a/cicd-stacks/JPL-deployment-policy-cf.yml b/cicd-stacks/JPL-deployment-policy-cf.yml
index c5f18a7f5..c3f06f86b 100644
--- a/cicd-stacks/JPL-deployment-policy-cf.yml
+++ b/cicd-stacks/JPL-deployment-policy-cf.yml
@@ -18,6 +18,7 @@ Resources:
               - dynamodb:*
               - ec2:*
               - ecs:*
+              - ecr:GetAuthorizationToken
               - events:*
               - iam:CreateServiceLinkedRole
               - iam:DeleteServiceLinkedRole
@@ -49,6 +50,7 @@ Resources:
           - Effect: Allow
             Action:
               - cloudformation:SetStackPolicy
+              - cloudformation:ListStacks
               - cloudformation:CreateStack
               - cloudformation:UpdateStack
               - cloudformation:DeleteStack
@@ -57,7 +59,21 @@ Resources:
               - cloudformation:ExecuteChangeSet
               - cloudformation:DeleteChangeSet
               - cloudformation:GetTemplateSummary
-            Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*"
+            Resource: !Sub "arn:aws:cloudformation:*:${AWS::AccountId}:stack/*"
+
+          - Effect: Allow
+            Action:
+              - ecr:BatchCheckLayerAvailability
+              - ecr:GetDownloadUrlForLayer
+              - ecr:DescribeRepositories
+              - ecr:ListImages
+              - ecr:DescribeImages
+              - ecr:BatchGetImage
+              - ecr:InitiateLayerUpload
+              - ecr:UploadLayerPart
+              - ecr:CompleteLayerUpload
+              - ecr:PutImage
+            Resource: !Sub "arn:aws:ecr:*:${AWS::AccountId}:repository/*"
 
   ApiGatewayLoggingRole:
     Type: Custom::JplRole