From 20d928122d497fab1a0ce22f7fe8c1a3ab5b8b3e Mon Sep 17 00:00:00 2001
From: Laura Seidler <hello@laura-seidler.de>
Date: Fri, 22 Dec 2023 14:03:50 +0100
Subject: [PATCH] Filter `IAMRolePolicy` resources related to SSO

---
 resources/iam-role-policy.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/resources/iam-role-policy.go b/resources/iam-role-policy.go
index 312e4f90b..b4fb709d8 100644
--- a/resources/iam-role-policy.go
+++ b/resources/iam-role-policy.go
@@ -85,6 +85,9 @@ func (e *IAMRolePolicy) Filter() error {
 	if strings.HasPrefix(aws.StringValue(e.role.Path), "/aws-service-role/") {
 		return fmt.Errorf("cannot alter service roles")
 	}
+	if strings.HasPrefix(aws.StringValue(e.role.Path), "/aws-reserved/sso.amazonaws.com/") {
+		return fmt.Errorf("cannot alter SSO roles")
+	}
 	return nil
 }