Encrypt secret configuration at rest in Vault. Access keys either:
1. At runtime using the API (either via REST or a client library, e.g. node-vault
- Encrypted variables never exposed to AWS/in console.
- Could be written in to a library and re-used based on approles.