HashiCorp Vault on AWS

HashiCorp Vault on AWS

Vault is an enterprise secret management tool. Instead of storing passwords in environment variables or config files, Vault stores secrets centrally with encryption, audit logging, and dynamic credential generation.

Why Vault for AWS Secrets?

Centralized Secret Storage

• All passwords, API keys, certificates in one place
• Encryption at rest (AES 256-bit)
• Audit log of every secret access

Dynamic Credentials

• Generate temporary credentials on-demand
• Database password valid 1 hour, then auto-revoked
• Reduces blast radius if credentials leaked

Automatic Rotation

• Vault automatically rotates passwords
• Applications always have fresh credentials
• Leaked old credentials become useless quickly

Multi-Cloud

• Works on AWS, Azure, GCP, on-premises
• Centralized secret management across clouds
• Reduce vendor lock-in

Vault vs AWS Secrets Manager

Vault Architecture on AWS

Vault Server (EC2 instances)

• Runs Vault daemon
• Auto-scaling group for high availability
• Behind Network Load Balancer

Storage Backend (DynamoDB or S3)

• Stores encrypted secrets
• Accessible only by Vault servers
• S3 for simplicity, DynamoDB for better HA

Authentication (IAM)

• Applications authenticate via AWS IAM roles
• Vault verifies identity with AWS API
• Issues temporary credentials

How It Works

1. Application starts on EC2 with IAM role

App → Vault: "Here's my IAM role, give me database password"
Vault → AWS: "Is this IAM role real?"
AWS → Vault: "Yes, it's real"
Vault → App: "Here's temporary password, valid for 1 hour"

2. Application accesses database

App → RDS: "Here's password from Vault"
RDS: "Password is valid, connection accepted"

3. One hour later, password expires

Vault automatically revokes the password
If someone has it, it no longer works

Vault Features for AWS

Secret Engines

• AWS: generate temporary AWS access keys
• Database: create temporary database passwords
• SSH: sign SSH keys for ephemeral access
• PKI: issue TLS certificates

Auth Methods

• AWS IAM: authenticate with IAM role
• Kubernetes: authenticate with service account
• AppRole: application-specific auth
• LDAP: authenticate with directory

Policies

• Grant access to specific secrets
• Time-based restrictions
• Multi-step approval workflows

Vault Deployment on AWS

Self-Hosted (Complex)

• EC2 instances for Vault servers (HA setup)
• DynamoDB for storage backend
• Network Load Balancer for access
• CloudWatch for monitoring
• Estimated: $300-500/month + operational overhead

HCP Vault (Managed)

• HashiCorp manages infrastructure
• Starting: $200/month
• Simpler operations
• Less control

Decision Matrix

• Simple secrets only? Use Secrets Manager
• Advanced features needed? Use Vault
• Multi-cloud? Must use Vault
• Budget-constrained? Secrets Manager or HCP Vault

Best Practices

Security

• Enable audit logging (log all secret access)
• Implement MFA for Vault access
• Use IP whitelisting
• Rotate encryption keys regularly

Operations

• Backup secrets regularly
• Test disaster recovery
• Monitor secret access patterns
• Alert on failed authentication attempts

Application Integration

• Use init containers to fetch secrets (Kubernetes)
• Cache secrets in memory (don’t re-request every call)
• Handle credential refresh gracefully
• Implement secret versioning

Related Services

• Cloud Security & Compliance
• AWS Consulting