Deploy on AWS into a new VPC

To install HashiCorp Vault on AWS, view the Quick Start deployment guide. You might also want to check out the AWS Quick Start for HashiCorp Consul, and view our complete Quick Start catalog.


This Quick Start sets up a flexible, scalable AWS Cloud environment, and launches HashiCorp Vault automatically into a configuration of your choice.

Vault centrally secures, stores, and tightly controls access to secrets across distributed infrastructure and applications. It handles leasing, key revocation, key rolling, and auditing. Users can access an encrypted key/value store and generate AWS IAM and AWS STS credentials.

The Quick Start includes AWS CloudFormation templates that automate the deployment, and a guide that provides step-by-step instructions to help you get the most out of your HashiCorp Vault implementation on the AWS Cloud.

  • What you'll build

    Use this Quick Start to set up the following HashiCorp Vault environment on AWS:

    • A virtual private cloud (VPC) configured with public and private subnets across three Availability Zones. This provides the network infrastructure for your HashiCorp Vault deployment.*
    • An Internet gateway to provide access to the Internet.*
    • In the public subnets, Linux bastion hosts to allow inbound Secure Shell (SSH) access to EC2 instances in the private subnets.*
    • In the private subnets, a HashiCorp Consul environment, as described in the HashiCorp Consul Quick Start deployment guide. Vault uses Consul DNS to discover and integrate with Consul.
    • In the private subnets, two Vault server nodes.
    • Your choice to create a new VPC or deploy into your existing VPC on AWS. The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks above.

    For details, see the Quick Start deployment guide.

  • Deployment details

    Build your HashiCorp Vault environment in a few simple steps:

    1. Sign up for an AWS account.
    2. Launch the Quick Start into a new VPC, if you want to build a new AWS infrastructure. (View template)
      Launch the Quick Start into an existing VPC, if you already have your AWS environment set up. (View template)
      The deployment takes about 10 minutes.
    3. Access Consul by using an SSH agent. 
    4. Initialize Vault.
    5. Unseal Vault.
    6. Enable audit logging.
    7. Seal Vault.
    8. Integrate Vault with your environment and create your first secret.

    To customize your deployment, you can choose different instance types for your resources, and change the number of Consul client and server nodes.  

    For detailed deployment and configuration instructions, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. See the pricing pages for each AWS service you will be using for cost estimates.

    This Quick Start uses the open-source version of HashiCorp Vault, which doesn’t require a license.