Comment by camil
Thanks for the feedback! Didn't plan to bring any confusion with that. The AWS KMS is used by the platform to encrypt/decrypt sensitive data before/after storing it in Vault and is part of the tech stack used to develop the platform.
it's more the thing, that if you put secrets on AWS, you are STILL dependent on AWS even if you run things on hetzner. It would be better, if you find a solution for secrets maintenance which runs on hetzner..