# Microservices Security (Service Identity/mTLS) One-sentence definition: Authenticate and authorize service-to-service calls with strong identities and policies. ## Key Facts - Use service mesh or libraries for mTLS, retries, and policy. - Per-service identities (SPIFFE-like) map to policies (who can call whom). - Propagate end-user identity carefully; prevent confused deputy. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose mTLS + policy over shared secrets between services. **Mnemonic:** “**Identity first, then policy**.” ## Mini Scenario Q: Shared “internal” token used by all services—risk? A: Lateral abuse; move to per-service mTLS and scoped tokens. ## Revision Checklist - Identity mechanism. - Policy example. - Deputy problem. ## Related [[Secure Architecture Patterns (Layered Microservices Zero Trust)]] · [[Application Key Management and Secrets Management]] · [[API Security Fundamentals (REST GraphQL gRPC)]] · [[CI CD Security (Runners Secrets Artifacts)]] · [[Domain 8 - Index]]