diff --git a/resources/iam-role-policy-attachments.go b/resources/iam-role-policy-attachments.go
index ca463e765..e251616df 100644
--- a/resources/iam-role-policy-attachments.go
+++ b/resources/iam-role-policy-attachments.go
@@ -82,6 +82,9 @@ func (e *IAMRolePolicyAttachment) Filter() error {
 	if strings.Contains(e.policyArn, ":iam::aws:policy/aws-service-role/") {
 		return fmt.Errorf("cannot detach from service roles")
 	}
+	if strings.HasPrefix(*e.role.Path, "/aws-reserved/sso.amazonaws.com/") {
+		return fmt.Errorf("cannot detach from SSO roles")
+	}
 	return nil
 }
 
diff --git a/resources/iam-roles.go b/resources/iam-roles.go
index 9d655e991..cddd8d8bf 100644
--- a/resources/iam-roles.go
+++ b/resources/iam-roles.go
@@ -73,6 +73,9 @@ func (e *IAMRole) Filter() error {
 	if strings.HasPrefix(e.path, "/aws-service-role/") {
 		return fmt.Errorf("cannot delete service roles")
 	}
+	if strings.HasPrefix(e.path, "/aws-reserved/sso.amazonaws.com/") {
+		return fmt.Errorf("cannot delete SSO roles")
+	}
 	return nil
 }