====== EKS Pods: No “Direct IAM Policy on Pod” ======

**What it is:** Clarification that AWS does not natively attach an IAM *policy* directly to a Pod.

**What it’s for:**
  * Correct a common misconception in exam answers.

**Key ideas:**
  * In EKS, the standard least-privilege approach is:
    * Pod → [[aws:containers:eks:service-account|Kubernetes Service Account]]
    * Service Account → [[aws:containers:eks:irsa|IRSA]] (role mapping)
    * IAM Role → IAM Policy
    * Temporary credentials issued by [[aws:security:iam:sts|STS]]
  * You might see “annotations” mentioned, but in IRSA the annotation is typically on the **service account** to reference the **role ARN** — not attaching policies directly to Pods.

**Exam takeaway:**
  * If an option says “attach policy directly to each Pod”, treat it as wrong/misleading; IRSA is the correct model.

**Hard words:**
  * *natively* /ˈneɪtɪvli/: “gốc”/native (hỗ trợ trực tiếp)
  * *misconception* /ˌmɪskənˈsepʃn/: hiểu lầm
  * *annotation* /ˌænəˈteɪʃn/: ghi chú metadata