Filter IAM roles and policy attachments related to SSO (#1028)

krzysdabro · web-flow · commit 58e46275b360 · 2023-06-20T17:52:38.000+02:00
diff --git a/resources/iam-role-policy-attachments.go b/resources/iam-role-policy-attachments.go
@@ -82,6 +82,9 @@ func (e *IAMRolePolicyAttachment) Filter() error {
 	if strings.Contains(e.policyArn, ":iam::aws:policy/aws-service-role/") {
 		return fmt.Errorf("cannot detach from service roles")
 	}
+	if strings.HasPrefix(*e.role.Path, "/aws-reserved/sso.amazonaws.com/") {
+		return fmt.Errorf("cannot detach from SSO roles")
+	}
 	return nil
 }
 
diff --git a/resources/iam-roles.go b/resources/iam-roles.go
@@ -73,6 +73,9 @@ func (e *IAMRole) Filter() error {
 	if strings.HasPrefix(e.path, "/aws-service-role/") {
 		return fmt.Errorf("cannot delete service roles")
 	}
+	if strings.HasPrefix(e.path, "/aws-reserved/sso.amazonaws.com/") {
+		return fmt.Errorf("cannot delete SSO roles")
+	}
 	return nil
 }
 

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,9 @@ func (e *IAMRolePolicyAttachment) Filter() error {`
`82`	`82`	`if strings.Contains(e.policyArn, ":iam::aws:policy/aws-service-role/") {`
`83`	`83`	`return fmt.Errorf("cannot detach from service roles")`
`84`	`84`	`}`
	`85`	`+ if strings.HasPrefix(*e.role.Path, "/aws-reserved/sso.amazonaws.com/") {`
	`86`	`+ return fmt.Errorf("cannot detach from SSO roles")`
	`87`	`+ }`
`85`	`88`	`return nil`
`86`	`89`	`}`
`87`	`90`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,9 @@ func (e *IAMRole) Filter() error {`
`73`	`73`	`if strings.HasPrefix(e.path, "/aws-service-role/") {`
`74`	`74`	`return fmt.Errorf("cannot delete service roles")`
`75`	`75`	`}`
	`76`	`+ if strings.HasPrefix(e.path, "/aws-reserved/sso.amazonaws.com/") {`
	`77`	`+ return fmt.Errorf("cannot delete SSO roles")`
	`78`	`+ }`
`76`	`79`	`return nil`
`77`	`80`	`}`
`78`	`81`