diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 2715ceb..e19afe2 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -17,6 +17,10 @@ on:
         description: "Valid lambda version"
         required: true
         type: string
+      lambda_keep:
+        description: "Number of lambda versions to keep"
+        default: '5'
+        type: string
 
 
 concurrency: # only run one instance of workflow at any one time
@@ -121,3 +125,13 @@ jobs:
         with:
           aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
           just_action: lambda-deploy
+
+      - name: prune lambda
+        uses: chrispsheehan/just-aws-oidc-action@0.1.3
+        env:
+          KEEP: ${{ inputs.lambda_keep }}
+          FUNCTION_NAME: ${{ steps.get-api-vars.outputs.lambda_function_name }}
+          ALIAS_NAME: ${{ steps.get-api-vars.outputs.lambda_alias_name }}
+        with:
+          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
+          just_action: lambda-prune
diff --git a/infra/modules/aws/lambda/main.tf b/infra/modules/aws/lambda/main.tf
index 75120a1..e9301a0 100644
--- a/infra/modules/aws/lambda/main.tf
+++ b/infra/modules/aws/lambda/main.tf
@@ -116,6 +116,8 @@ resource "aws_appautoscaling_target" "pc_target" {
   resource_id        = "function:${local.lambda_name}:${var.environment}"
   scalable_dimension = "lambda:function:ProvisionedConcurrency"
   service_namespace  = "lambda"
+
+  depends_on = [aws_lambda_alias.live]
 }
 
 resource "aws_appautoscaling_policy" "pc_policy" {
diff --git a/justfile b/justfile
index 70e79c0..98b4407 100644
--- a/justfile
+++ b/justfile
@@ -230,3 +230,32 @@ lambda-deploy:
     echo "❌ Deployment $DEPLOYMENT_ID did not complete within expected time."
     exit 1
 
+
+lambda-prune:
+    #!/usr/bin/env bash
+    live_version=$(aws lambda get-alias \
+        --function-name "$FUNCTION_NAME" \
+        --name "$ALIAS_NAME" \
+        --region "$AWS_REGION" \
+        | jq -r '.FunctionVersion')
+
+    echo "Alias '$ALIAS_NAME' points to: ${live_version:-<none>}"
+    versions=$(aws lambda list-versions-by-function \
+        --function-name "$FUNCTION_NAME" \
+        --region "$AWS_REGION" \
+        | jq -r '.Versions[] | select(.Version != "$LATEST") | .Version' \
+        | sort -nr)
+
+    keep_newest=$(echo "$versions" | head -n "$KEEP")
+    keep_set=$(printf "%s\n%s\n" "$keep_newest" "$live_version" | sort -u)
+    to_delete=$(comm -23 <(echo "$versions" | sort -u) <(echo "$keep_set" | sort -u))
+
+    echo "Keeping version(s):  $(echo "$keep_set" | tr '\n' ' ')"
+    if [[ -z "${to_delete// }" ]]; then
+        echo "Nothing to delete."
+        exit 0
+    fi
+    for v in $to_delete; do
+        echo "Deleting $FUNCTION_NAME:$v"
+        aws lambda delete-function --function-name "$FUNCTION_NAME" --qualifier "$v" --region "$REGION"
+    done