Configuring Vault by Hashicorp in AWS EC2

April 15, 2019

Vault Quick Start in EC2

Create an S3 Bucket for Vault

aws s3 create-bucket --bucket VAULT_BUCKET_NAME

Create a Vault IAM User

Create two policies and attach them to a user, Vault.

Allow access to the newly created S3 bucket:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": ["arn:aws:s3:::VAULT_BUCKET_NAME/*"]

Allow IAM actions required by Vault:

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [

Create a New Security Group

aws ec2 create-security-group --group-name vault-sg --description Vault | jq -r '.GroupId'

Expose Ports 22 and 8200

aws ec2 authorize-security-group-ingress --group-name vault-sg --protocol tcp --port 22 --cidr ''
aws ec2 authorize-security-group-ingress --group-name vault-sg --protocol tcp --port 8200 --cidr ''

Create an EC2 Instance

Create an EC2 instance with the latest AMI, using the vault-sg security group and the IAM user created above.

Wait a moment and SSH into the instance, then install Vault as follows:

cd /tmp && wget
cp vault /usr/bin/vault
vault --version

Make a Vault data directory:

mkdir -p /etc/vault.d

Configure Vault:

touch /etc/vault.d/vault.hcl

Add the following configuration to vault.hcl:

ui = true
listener "tcp" {
  address = ""
backend "s3" {
  bucket = "YOUR_AWS_BUCKET"
  region = "us-east-1"

Add systemd service file for Vault:

ExecStart=/usr/bin/vault server -config /etc/vault.d/vault.hcl
ExecReload=/bin/kill -HUP $MAINPID

Start Vault:

service vault start

Find the public DNS associated with your EC2 instance and visit the url on port 8200: