diff --git a/lib/plugins/aws/package/compile/layers.js b/lib/plugins/aws/package/compile/layers.js
index 4f5659510..e22879172 100644
--- a/lib/plugins/aws/package/compile/layers.js
+++ b/lib/plugins/aws/package/compile/layers.js
@@ -75,10 +75,14 @@ class AwsCompileLayers {
           const newPermission = this.cfLambdaLayerPermissionTemplate();
           newPermission.Properties.LayerVersionArn = { Ref: layerLogicalId };
           newPermission.Properties.Principal = account;
-          const layerPermLogicalId = this.provider.naming.getLambdaLayerPermissionLogicalId(
+          let layerPermLogicalId = this.provider.naming.getLambdaLayerPermissionLogicalId(
             layerName,
             account
           );
+          if (layerObject.retain) {
+            layerPermLogicalId = `${layerPermLogicalId}${sha}`;
+            newPermission.DeletionPolicy = 'Retain';
+          }
           newLayerObject[layerPermLogicalId] = newPermission;
           return newPermission;
         });
diff --git a/test/unit/lib/plugins/aws/package/compile/layers.test.js b/test/unit/lib/plugins/aws/package/compile/layers.test.js
index 7d8e0cb87..aa3e55f12 100644
--- a/test/unit/lib/plugins/aws/package/compile/layers.test.js
+++ b/test/unit/lib/plugins/aws/package/compile/layers.test.js
@@ -323,6 +323,7 @@ describe('AwsCompileLayers', () => {
 });
 
 describe('lib/plugins/aws/package/compile/layers/index.test.js', () => {
+  const allowedAccount = 'arn:aws:iam::123456789012:root';
   let cfResources;
   let naming;
   let updateConfig;
@@ -337,6 +338,7 @@ describe('lib/plugins/aws/package/compile/layers/index.test.js', () => {
           layerRetain: {
             path: 'layer',
             retain: true,
+            allowedAccounts: [allowedAccount],
           },
         },
       },
@@ -358,7 +360,7 @@ describe('lib/plugins/aws/package/compile/layers/index.test.js', () => {
   });
 
   describe('`layers[].retain` property', () => {
-    it('should ensure expected deletion policy', () => {
+    it('should ensure expected deletion policy for layer resource', () => {
       const layerResourceNamePrefix = naming.getLambdaLayerLogicalId('layerRetain');
       const layerResourceName = Object.keys(cfResources).find(resourceName =>
         resourceName.startsWith(layerResourceNamePrefix)
@@ -368,6 +370,19 @@ describe('lib/plugins/aws/package/compile/layers/index.test.js', () => {
       expect(layerResource.DeletionPolicy).to.equal('Retain');
     });
 
+    it('should ensure expected deletion policy for layer permission resource', () => {
+      const layerPermissionResourceNamePrefix = naming.getLambdaLayerPermissionLogicalId(
+        'layerRetain',
+        allowedAccount
+      );
+      const layerPermissionResourceName = Object.keys(cfResources).find(resourceName =>
+        resourceName.startsWith(layerPermissionResourceNamePrefix)
+      );
+      expect(layerPermissionResourceName).to.not.equal(layerPermissionResourceNamePrefix);
+      const layerPermissionResource = cfResources[layerPermissionResourceName];
+      expect(layerPermissionResource.DeletionPolicy).to.equal('Retain');
+    });
+
     it('should ensure unique resource id per layer version', async () => {
       const layerResourceNamePrefix = naming.getLambdaLayerLogicalId('layerRetain');
       const firstLayerResourceName = Object.keys(cfResources).find(resourceName =>