diff --git a/infra/cfn/template-lambda-function.yaml b/infra/cfn/template-lambda-function.yaml
index 4ba2527..280563a 100644
--- a/infra/cfn/template-lambda-function.yaml
+++ b/infra/cfn/template-lambda-function.yaml
@@ -22,6 +22,14 @@ Parameters:
     Default: main
     Description: Git repository branch
 
+  ImageDigest:
+    Type: String
+    Default: ""
+    Description: "ECR image digest (e.g., sha256:abc123...). If empty, uses 'latest' tag. Use digest for deterministic deployments."
+
+Conditions:
+  UseDigest: !Not [!Equals [!Ref ImageDigest, ""]]
+
 Resources:
 
   MyLambdaRole:
@@ -71,15 +79,20 @@ Resources:
     Properties:
       FunctionName: blog-deployment-webhook-handler
       PackageType: Image
-      ImageUri:
-        !Join
-          - ":"
-          - - !ImportValue BlogDeployment-RepositoryUri
-            - "latest"
+      ImageUri: !If
+        - UseDigest
+        - !Sub
+          - "${RepoUri}@${Digest}"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
+            Digest: !Ref ImageDigest
+        - !Sub
+          - "${RepoUri}:latest"
+          - RepoUri: !ImportValue BlogDeployment-RepositoryUri
       Timeout: 300
       MemorySize: 512
       Architectures:
         - arm64
+      AutoPublishAlias: live
       Environment:
         Variables:
           REPO_URL: !Ref RepoURL