====== Instance Profile (EC2) ======

**What it is:** A container that attaches an IAM Role to an EC2 instance.

**What it’s for:**
  * Let EC2 get temporary credentials automatically (no access keys on disk).
  * Enable EC2 to call AWS services like S3/DynamoDB/SSM.

**Key ideas:**
  * EC2 assumes the role via the instance profile.
  * Credentials are delivered via the EC2 metadata service (IMDS).

**Exam cues:**
  * “EC2 needs permission without storing keys” → use Instance Profile + Role.
  * “attach IAM role to EC2” → technically done via instance profile.

**Hard words:**
  * *metadata* /ˈmetəˌdeɪtə/: siêu dữ liệu
  * *deliver* /dɪˈlɪvər/: cung cấp
  * *automatically* /ˌɔːtəˈmætɪkli/: tự động