feat(stepfunctions-tasks): scope down batch:SubmitJob permissions to specific job definition

Previously, SubmitBatchJob granted batch:SubmitJob on all job
definitions (job-definition/*). Now the permission is scoped to the
specific job definition ARN with a wildcard revision suffix, following
least privilege principles.

When the job definition ARN is a dynamic expression (JsonPath/Jsonata),
it falls back to the wildcard resource.

Closes #37214

Author: syukawa-dev

packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/batch/submit-job.ts

@@ -307,17 +307,18 @@ export class BatchSubmitJob extends sfn.TaskStateBase {
   }
 
   private configurePolicyStatements(): iam.PolicyStatement[] {
+    const jobDefinitionResource = isJsonPathOrJsonataExpression(this.props.jobDefinitionArn)
+      ? Stack.of(this).formatArn({
+        service: 'batch',
+        resource: 'job-definition',
+        resourceName: '*',
+      })
+      : `${this.props.jobDefinitionArn.replace(/:\d+$/, '')}:*`;
+
     return [
-      // Resource level access control for job-definition requires revision which batch does not support yet
-      // Using the alternative permissions as mentioned here:
-      // https://docs.aws.amazon.com/batch/latest/userguide/batch-supported-iam-actions-resources.html
       new iam.PolicyStatement({
         resources: isJsonPathOrJsonataExpression(this.props.jobQueueArn) ? ['*'] : [
-          Stack.of(this).formatArn({
-            service: 'batch',
-            resource: 'job-definition',
-            resourceName: '*',
-          }),
+          jobDefinitionResource,
           this.props.jobQueueArn,
         ],
         actions: ['batch:SubmitJob'],