====== IAM (Identity and Access Management) ======

**What it is:** AWS service for managing **who** can access AWS and **what** they can do.

**What it’s for:**
  * Create identities (users/roles) and attach permissions (policies).
  * Enforce *least privilege* /liːst ˈprɪvəlɪdʒ/ (chỉ cấp đúng quyền cần).
  * Avoid putting long-term access keys inside source code.

**Key ideas:**
  * IAM is **global** within an AWS account (not tied to one Region).
  * Permissions are defined by [[aws:security:iam:policy|policies]] (JSON).
  * Prefer **roles** for AWS services (EC2/Lambda/EKS) instead of static keys.
  * Use [[aws:security:mfa|MFA]] for stronger login security.

**Common exam cues:**
  * “don’t store access keys on servers” → use IAM Role.
  * “restrict access to only required actions” → least privilege + scoped policies.

**Hard words (English + IPA + Vietnamese meaning):**
  * *identity* /aɪˈdentəti/: danh tính
  * *access* /ˈækses/: truy cập
  * *permission* /pərˈmɪʃn/: quyền
  * *least privilege* /liːst ˈprɪvəlɪdʒ/: ít quyền nhất cần thiết

**Child pages:**
  * [[aws:security:iam:user|IAM User]]
  * [[aws:security:iam:group|IAM Group]]
  * [[aws:security:iam:role|IAM Role]]
  * [[aws:security:iam:policy|IAM Policy]]
  * [[.:iam:best-practices|IAM Best Practices]]
  * [[.:iam:privileged-users|Privileged Users]]
  * [[aws:security:iam:policy-evaluation|Policy Evaluation (How AWS decides allow/deny)]]
  * [[aws:security:iam:sts|STS (Security Token Service)]]
  * [[aws:security:iam:assume-role|AssumeRole]]
  * [[aws:security:iam:instance-profile|Instance Profile (EC2)]]
  * [[aws:security:iam:permission-boundary|Permission Boundary]]
  * [[aws:security:iam:least-privilege|Least Privilege]]