diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-ssekms.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-ssekms.ts
index 892b14ec8dd18..0ff7ec3a68c6f 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-ssekms.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac-ssekms.ts
@@ -18,8 +18,8 @@ const originAccessControl = new cloudfront.OriginAccessControl(stack, 'OriginAcc
 new cloudfront.Distribution(stack, 'Distribution', {
   defaultBehavior: {
     origin: new origins.S3Origin(bucket, {
-      originAccessControl: originAccessControl
-    })
+      originAccessControl: originAccessControl,
+    }),
   },
 });
 
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts
index c8e3ecb3bf378..57e85f793a25a 100644
--- a/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts
+++ b/packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.s3-origin-oac.ts
@@ -11,10 +11,10 @@ const stack = new cdk.Stack(app, 'cloudfront-s3-origin-oac');
 const bucket = new s3.Bucket(stack, 'Bucket');
 const originAccessControl = new cloudfront.OriginAccessControl(stack, 'OriginAccessControl');
 new cloudfront.Distribution(stack, 'Distribution', {
-  defaultBehavior: { 
+  defaultBehavior: {
     origin: new origins.S3Origin(bucket, {
-      originAccessControl: originAccessControl
-    })
+      originAccessControl: originAccessControl,
+    }),
   },
 });
 
diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-bucket-policy-handler.test.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-bucket-policy-handler.test.ts
index 1ab584939d679..079d3daa36a1e 100644
--- a/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-bucket-policy-handler.test.ts
+++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-bucket-policy-handler.test.ts
@@ -46,12 +46,12 @@ describe('S3 OAC bucket policy handler', () => {
   })
 });
 
-describe('updatePolicy', () => {
+describe('appendStatementToPolicy', () => {
   it('should add a new policy statement if it does not exist', () => {
     const currentPolicy = { Statement: [] };
     const policyStatementToAdd = { Sid: 'NewStatement', Effect: 'Allow', Action: 's3:GetObject', Resource: 'arn:aws:s3:::bucket/*' };
 
-    const updatedPolicy = updatePolicy(currentPolicy, policyStatementToAdd);
+    const updatedPolicy = appendStatementToPolicy(currentPolicy, policyStatementToAdd);
 
     expect(updatedPolicy.Statement).toContainEqual(policyStatementToAdd);
   });
diff --git a/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-key-policy-handler.test.ts b/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-key-policy-handler.test.ts
index e69c7b5b2e02e..028ae63c46f4e 100644
--- a/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-key-policy-handler.test.ts
+++ b/packages/@aws-cdk/custom-resource-handlers/test/aws-cloudfront-origins/s3-origin-access-control-key-policy-handler.test.ts
@@ -149,7 +149,7 @@ describe('getActions', () => {
   });
 });
 
-describe('updatePolicy', () => {
+describe('appendStatementToPolicy', () => {
   it('should add a new policy statement if it does not exist', () => {
     const currentPolicy = { Statement: [] };
     const policyStatementToAdd = { Sid: 'NewStatement', Effect: 'Allow', Action: ['kms:Decrypt'], Resource: '*' };
diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
index f20d77b8c7c01..408ce1ac4ec65 100644
--- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
+++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md
@@ -73,6 +73,7 @@ Flags come in three types:
 | [@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm](#aws-cdkaws-ecsremovedefaultdeploymentalarm) | When enabled, remove default deployment alarm settings | 2.143.0 | (default) |
 | [@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault](#aws-cdkcustom-resourceslogapiresponsedatapropertytruedefault) | When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default | 2.145.0 | (fix) |
 | [@aws-cdk/aws-cloudfront:useOriginAccessControlByDefault](#aws-cdkaws-cloudfrontuseoriginaccesscontrolbydefault) | When enabled, an origin access control will be created by default when a new S3 origin is created. | V2NEXT | (fix) |
+| [@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions](#aws-cdkaws-stepfunctions-tasksecsreduceruntaskpermissions) | When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN. | V2NEXT | (fix) |
 
 <!-- END table -->
 
@@ -135,6 +136,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
     "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions": true,
     "@aws-cdk/aws-cloudfront:useOriginAccessControlByDefault": true
   }
 }
@@ -1372,4 +1374,19 @@ of an origin access identity (legacy).
 | V2NEXT | `false` | `true` |
 
 
+### @aws-cdk/aws-stepfunctions-tasks:ecsReduceRunTaskPermissions
+
+*When enabled, IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.* (fix)
+
+When this feature flag is enabled, the IAM Policy created to run tasks won't include the task definition ARN, only the revision ARN.
+The revision ARN is more specific than the task definition ARN. See https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html
+for more details.
+
+
+| Since | Default | Recommended |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| V2NEXT | `false` | `true` |
+
+
 <!-- END details -->