diff --git a/Core-Concepts.md b/Core-Concepts.md
new file mode 100644
index 0000000..856da33
--- /dev/null
+++ b/Core-Concepts.md
@@ -0,0 +1,8 @@
+Before deployment, it's important to understand the two primary security patterns for granting the server permissions. The pattern you choose depends on where your server is hosted.
+
+-   **Pattern A: IAM Roles for EC2 (Recommended)**
+    This is the standard, most secure method for workloads running within AWS. An IAM Role is attached to the EC2 instance, which then automatically receives short-lived, temporary credentials from the EC2 metadata service. This completely avoids the need to store static access keys on the server.
+
+-   **Pattern B: IAM Users for External Servers**
+    For servers running outside of AWS (e.g., on-premises, other clouds), an IAM Role cannot be used. This pattern involves creating a dedicated IAM User with a narrowly scoped policy and long-lived static access keys (`AccessKeyId` and `SecretAccessKey`). This requires careful manual credential management.
+