reference deployment

HashiCorp Vault on AWS

A unified interface to manage and encrypt secrets on the AWS Cloud

This Quick Start sets up a flexible, scalable Amazon Web Services (AWS) Cloud environment and launches HashiCorp Vault automatically into the configuration of your choice.

Vault lessens the need for static, hardcoded credentials by using trusted identities to centralize passwords and control access. It encrypts sensitive data both in transit and at rest using centrally managed and secured encryption keys, all through a single workflow and API. You can access a key-value store and generate AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) credentials.

The Quick Start includes AWS CloudFormation templates that automate the deployment and a guide that provides step-by-step instructions to help you get the most out of your HashiCorp Vault implementation.


This Quick Start was developed by HashiCorp, Inc. in partnership with AWS. HashiCorp is an
APN Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to set up the following HashiCorp Vault environment on AWS:

    • A virtual private cloud (VPC) with public and private subnets across three Availability Zones.
    • An internet gateway to provide access to the internet.*
    • A certificate from the AWS Certificate Manager (ACM) Secure Sockets Layer (SSL), assuming that the supplied hosted-zone ID and DNS name are associated with the Application Load Balancer.
    • An Application Load Balancer that can either be internal or external facing.
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources.
      • A Linux bastion host to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in the private subnets.
    • In the private subnets:
      • Auto Scaling groups that contain three, five, or seven HashiCorp Vault server instances across three Availability Zones.
    • An AWS Secrets Manager secret that contains the root token and unseal keys created during the HashiCorp Vault cluster initialization.
    • An AWS Key Management Service (AWS KMS) key that is used to auto unseal HashiCorp Vault as well as encrypt the AWS Secrets Manager secret.

    * The template that deploys the Quick Start into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To build your HashiCorp Vault cluster on AWS, follow the instructions in the deployment guide. Each deployment takes about 20 minutes and includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Subscribe to Center for Internet Security (CIS) Ubuntu Linux 16.04 — Level 1.
    3. Launch the Quick Start. You can choose from two options:
    4. Review audit logs.
    5. Test the deployment.
    6. Get started with HashiCorp Vault.

    CIS Ubuntu Linux 16.04 LTS Benchmark - Level 1

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. See the pricing pages for cost estimates of each AWS service you use.

    This Quick Start uses the open-source version of HashiCorp Vault, which does not require a license.