What it is: AWS service for managing who can access AWS and what they can do.

What it’s for:

• Create identities (users/roles) and attach permissions (policies).
• Enforce *least privilege* /liːst ˈprɪvəlɪdʒ/ (chỉ cấp đúng quyền cần).
• Avoid putting long-term access keys inside source code.

Key ideas:

• IAM is global within an AWS account (not tied to one Region).
• Permissions are defined by policies (JSON).
• Prefer roles for AWS services (EC2/Lambda/EKS) instead of static keys.
• Use MFA for stronger login security.

Common exam cues:

• “don’t store access keys on servers” → use IAM Role.
• “restrict access to only required actions” → least privilege + scoped policies.

Hard words (English + IPA + Vietnamese meaning):

• *identity* /aɪˈdentəti/: danh tính
• *access* /ˈækses/: truy cập
• *permission* /pərˈmɪʃn/: quyền
• *least privilege* /liːst ˈprɪvəlɪdʒ/: ít quyền nhất cần thiết

Child pages:

• IAM User
• IAM Group
• IAM Role
• IAM Policy
• Policy Evaluation (How AWS decides allow/deny)
• STS (Security Token Service)
• AssumeRole
• Instance Profile (EC2)
• Permission Boundary
• Least Privilege