From 58e46275b36028007cc3f50334aa74d6e3e7990a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20D=C4=85browski?= Date: Tue, 20 Jun 2023 17:52:38 +0200 Subject: [PATCH] Filter IAM roles and policy attachments related to SSO (#1028) --- resources/iam-role-policy-attachments.go | 3 +++ resources/iam-roles.go | 3 +++ 2 files changed, 6 insertions(+) diff --git a/resources/iam-role-policy-attachments.go b/resources/iam-role-policy-attachments.go index ca463e76..e251616d 100644 --- a/resources/iam-role-policy-attachments.go +++ b/resources/iam-role-policy-attachments.go @@ -82,6 +82,9 @@ func (e *IAMRolePolicyAttachment) Filter() error { if strings.Contains(e.policyArn, ":iam::aws:policy/aws-service-role/") { return fmt.Errorf("cannot detach from service roles") } + if strings.HasPrefix(*e.role.Path, "/aws-reserved/sso.amazonaws.com/") { + return fmt.Errorf("cannot detach from SSO roles") + } return nil } diff --git a/resources/iam-roles.go b/resources/iam-roles.go index 9d655e99..cddd8d8b 100644 --- a/resources/iam-roles.go +++ b/resources/iam-roles.go @@ -73,6 +73,9 @@ func (e *IAMRole) Filter() error { if strings.HasPrefix(e.path, "/aws-service-role/") { return fmt.Errorf("cannot delete service roles") } + if strings.HasPrefix(e.path, "/aws-reserved/sso.amazonaws.com/") { + return fmt.Errorf("cannot delete SSO roles") + } return nil }