It should be made clear that this requires AWS KMS, and for automatic decryption, EC2 (so that the instances can be associated with an IAM role that has key decryption permission).
I think that's pretty clear in the article that's linked. It explicitly mentions AWS KMS and its reliance on it and how IAM roles are used to grant access to a secret.
It also states that KMS isn't a requirement, you can use Vault too.
It also states that KMS isn't a requirement, you can use Vault too.