What it is: A container that attaches an IAM Role to an EC2 instance.

What it’s for:

• Let EC2 get temporary credentials automatically (no access keys on disk).
• Enable EC2 to call AWS services like S3/DynamoDB/SSM.

Key ideas:

• EC2 assumes the role via the instance profile.
• Credentials are delivered via the EC2 metadata service (IMDS).

Exam cues:

• “EC2 needs permission without storing keys” → use Instance Profile + Role.
• “attach IAM role to EC2” → technically done via instance profile.

Hard words:

• *metadata* /ˈmetəˌdeɪtə/: siêu dữ liệu
• *deliver* /dɪˈlɪvər/: cung cấp
• *automatically* /ˌɔːtəˈmætɪkli/: tự động