StepFunction AthenaStartQueryExecution policy documents are very broad

[toby-lego]

I noticed when auditing some of our policies that the StepFunction AthenaStartQueryExecution task construct adds some very broad permissions including "s3:CreateBucket" and "s3:GetObject" on "*". These are added whether you allow the step function to generate the role, or if you provide an explicit role yourself.

This is apparently to allow creating a new output location for the Athena results, but this seems like an unlikely scenario because in most cases I would expect people to be providing result outputs in the workgroup settings or to the athena call itself.

Could we cut this down, or at least make it possible to opt-out of these broad policies?

[indrora]

This is a requirement by the service, from what I understand.