====== IAM Best Practices ======

**What it is:** Recommended security practices for managing identities and permissions in AWS.

**What it’s for:**
  * Reduce risk of account compromise.
  * Improve auditing and accountability.
  * Enforce least privilege.

**Top exam best practices:**
  * Enable [[aws:security:mfa|MFA]] for privileged users (admins / power users).
  * Configure [[aws:security:cloudtrail|CloudTrail]] to log all IAM actions.

**Common wrong practices:**
  * Don’t use long-term user credentials for EC2; use [[aws:security:iam:instance-profile|Instance Profile (IAM Role)]].
  * Don’t grant maximum privileges; follow [[aws:security:iam:least-privilege|Least Privilege]].
  * Don’t share credentials; use individual identities and roles.

**Hard words (English + IPA + Vietnamese meaning):**
  * *privileged* /ˈprɪvəlɪdʒd/: đặc quyền
  * *auditing* /ˈɔːdɪtɪŋ/: kiểm toán
  * *accountability* /əˌkaʊntəˈbɪləti/: trách nhiệm rõ ràng