What it is: Clarification that AWS does not natively attach an IAM *policy* directly to a Pod.

What it’s for:

• Correct a common misconception in exam answers.

Key ideas:

• In EKS, the standard least-privilege approach is:
  • Pod → Kubernetes Service Account
  • Service Account → IRSA (role mapping)
  • IAM Role → IAM Policy
  • Temporary credentials issued by STS
• You might see “annotations” mentioned, but in IRSA the annotation is typically on the service account to reference the role ARN — not attaching policies directly to Pods.

Exam takeaway:

• If an option says “attach policy directly to each Pod”, treat it as wrong/misleading; IRSA is the correct model.

Hard words:

• *natively* /ˈneɪtɪvli/: “gốc”/native (hỗ trợ trực tiếp)
• *misconception* /ˌmɪskənˈsepʃn/: hiểu lầm
• *annotation* /ˌænəˈteɪʃn/: ghi chú metadata