diff --git a/lib/deploy/stepFunctions/compileIamRole.js b/lib/deploy/stepFunctions/compileIamRole.js
index d01a53e..2ea9252 100644
--- a/lib/deploy/stepFunctions/compileIamRole.js
+++ b/lib/deploy/stepFunctions/compileIamRole.js
@@ -8,6 +8,14 @@ const { getArnPartition } = require('../../utils/arn');
 
 const logger = require('../../utils/logger');
 
+/**
+ * Check if a value is a JSONata value template
+ * e.g {% $.some.path %}
+ */
+function isJsonataValueTemplate(value) {
+  return typeof value === 'string' && value.trim().startsWith('{%') && value.trim().endsWith('}');
+}
+
 function getTaskStates(states, stateMachineName) {
   return _.flatMap(states, (state) => {
     switch (state.Type) {
@@ -84,13 +92,16 @@ function getSqsPermissions(serverless, state) {
 }
 
 function getSnsPermissions(serverless, state) {
-  if (_.has(state, 'Parameters.TopicArn')
-      || _.has(state, ['Parameters', 'TopicArn.$'])) {
-    // if topic ARN is provided by input, then need pervasive permissions
-    const topicArn = state.Parameters['TopicArn.$'] ? '*' : state.Parameters.TopicArn;
-    return [{ action: 'sns:Publish', resource: topicArn }];
+  const topicArn = getParameterOrArgument(state, "TopicArn");
+  const topicArnPervasive = getParameterOrArgument(state, "TopicArn.$");
+  // if topic ARN is provided by input, then need pervasive permissions
+  if (topicArnPervasive) {
+    return [{ action: "sns:Publish", resource: "*" }];
   }
-  logger.log('SNS task missing Parameters.TopicArn or Parameters.TopicArn.$');
+  if (topicArn) {
+    return [{ action: "sns:Publish", resource: topicArn }];
+  }
+  logger.log("SNS task missing Parameters.TopicArn or Parameters.TopicArn.$");
   return [];
 }
 
@@ -655,9 +666,16 @@ function resolveS3BucketReferences(bucket, resources) {
 }
 
 function getS3ObjectPermissions(action, state) {
-  const bucket = state.Parameters.Bucket || '*';
-  const key = state.Parameters.Key || '*';
-  const prefix = state.Parameters.Prefix;
+  // Use the helper so both Arguments (JSONata) and Parameters (JSONPath) are supported
+  const bucket = getParameterOrArgument(state, 'Bucket') || '*';
+  let key = getParameterOrArgument(state, 'Key') || '*';
+  if (isJsonataValueTemplate(key)) {
+    console.warn(
+      "Warning: When using JSONata, S3 object permissions will be given for all objects in the bucket"
+    );
+    key = "*";
+  }
+  const prefix = getParameterOrArgument(state, 'Prefix');
   let arn;
 
   if (action === 's3:listObjectsV2') {