[crazypyro]

At my work, we have a vault service, but it takes 3 servers for vault plus another 3 for consul and they are not very cheap servers (m4.larges). Our rough calculations, using a 3x3 vault/consul architecture, estimated you'd need over 1100-1300 secrets to make it worth implementing vault (not including development/maintenance cost which could be significant. and if you have multiple, independent environments, it gets worse.

The real issue for some of the people at my work is the vendor lock-in versus vault.

[outworlder]

Consul only makes sense if you are already using it for something else. If just Vault, you can use DynamoDB (with full HA) or S3 (without HA support), same with Azure and Google Cloud (although without HA). There are other backends, like PostgreSQL.

[013a]

If you're already deployed inside Kubernetes or similar, Vault is Just Another Pod that is running, with HA and everything. You might not even need to add to your resource pool that is already provisioned. As for your backend, S3 is a great choice if you can tolerate no-HA, or DynamoDB if not.

Point being: if you're using a modern stack, you can use modern tools. If you're stuck on a legacy stack, you use legacy tools, and that appears to be who AWS is building for nowadays. Legacy tools, value-based pricing instead of cost-based, charge a boatload, buzzword heaven, sell it to the enterprise, rinse repeat.

The HSM component is the only part here that appears to be worth the price. Azure's competing product is a LOT cheaper, except that their HSM-generated keys are more expensive. Which naturally means, Azure is cost-based pricing, whereas AWS is value-based pricing.