diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws-ec2/backend.go
similarity index 98%
rename from builtin/credential/aws/backend.go
rename to builtin/credential/aws-ec2/backend.go
index 1ff343a343..af9bc86f27 100644
--- a/builtin/credential/aws/backend.go
+++ b/builtin/credential/aws-ec2/backend.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"sync"
@@ -160,7 +160,7 @@ func (b *backend) periodicFunc(req *logical.Request) error {
 }
 
 const backendHelp = `
-AWS auth backend takes in PKCS#7 signature of an AWS EC2 instance and a client
+aws-ec2 auth backend takes in PKCS#7 signature of an AWS EC2 instance and a client
 created nonce to authenticates the EC2 instance with Vault.
 
 Authentication is backed by a preconfigured role in the backend. The role
diff --git a/builtin/credential/aws/backend_test.go b/builtin/credential/aws-ec2/backend_test.go
similarity index 99%
rename from builtin/credential/aws/backend_test.go
rename to builtin/credential/aws-ec2/backend_test.go
index 4a69fa700d..18076fe9a2 100644
--- a/builtin/credential/aws/backend_test.go
+++ b/builtin/credential/aws-ec2/backend_test.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"encoding/base64"
diff --git a/builtin/credential/aws/client.go b/builtin/credential/aws-ec2/client.go
similarity index 99%
rename from builtin/credential/aws/client.go
rename to builtin/credential/aws-ec2/client.go
index 01259be690..59120eda19 100644
--- a/builtin/credential/aws/client.go
+++ b/builtin/credential/aws-ec2/client.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"fmt"
diff --git a/builtin/credential/aws/path_config_certificate.go b/builtin/credential/aws-ec2/path_config_certificate.go
similarity index 99%
rename from builtin/credential/aws/path_config_certificate.go
rename to builtin/credential/aws-ec2/path_config_certificate.go
index 7d1efe8571..ed225abdff 100644
--- a/builtin/credential/aws/path_config_certificate.go
+++ b/builtin/credential/aws-ec2/path_config_certificate.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"crypto/x509"
diff --git a/builtin/credential/aws/path_config_client.go b/builtin/credential/aws-ec2/path_config_client.go
similarity index 96%
rename from builtin/credential/aws/path_config_client.go
rename to builtin/credential/aws-ec2/path_config_client.go
index eea42546c7..008e3e69a0 100644
--- a/builtin/credential/aws/path_config_client.go
+++ b/builtin/credential/aws-ec2/path_config_client.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"github.com/fatih/structs"
@@ -193,7 +193,7 @@ Configure the client credentials that are used to query instance details from AW
 `
 
 const pathConfigClientHelpDesc = `
-AWS auth backend makes DescribeInstances API call to retrieve information regarding
-the instance that performs login. The aws_secret_key and aws_access_key registered with Vault should have the
-permissions to make the API call.
+aws-ec2 auth backend makes DescribeInstances API call to retrieve information regarding
+the instance that performs login. The aws_secret_key and aws_access_key registered with
+Vault should have the permissions to make the API call.
 `
diff --git a/builtin/credential/aws/path_config_tidy_identity_whitelist.go b/builtin/credential/aws-ec2/path_config_tidy_identity_whitelist.go
similarity index 99%
rename from builtin/credential/aws/path_config_tidy_identity_whitelist.go
rename to builtin/credential/aws-ec2/path_config_tidy_identity_whitelist.go
index 1ee5ed7f08..8fac923dc3 100644
--- a/builtin/credential/aws/path_config_tidy_identity_whitelist.go
+++ b/builtin/credential/aws-ec2/path_config_tidy_identity_whitelist.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"fmt"
diff --git a/builtin/credential/aws/path_config_tidy_roletag_blacklist.go b/builtin/credential/aws-ec2/path_config_tidy_roletag_blacklist.go
similarity index 99%
rename from builtin/credential/aws/path_config_tidy_roletag_blacklist.go
rename to builtin/credential/aws-ec2/path_config_tidy_roletag_blacklist.go
index 1d834030b0..071ab91446 100644
--- a/builtin/credential/aws/path_config_tidy_roletag_blacklist.go
+++ b/builtin/credential/aws-ec2/path_config_tidy_roletag_blacklist.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"fmt"
diff --git a/builtin/credential/aws/path_identity_whitelist.go b/builtin/credential/aws-ec2/path_identity_whitelist.go
similarity index 99%
rename from builtin/credential/aws/path_identity_whitelist.go
rename to builtin/credential/aws-ec2/path_identity_whitelist.go
index ba7b861b78..41954ca895 100644
--- a/builtin/credential/aws/path_identity_whitelist.go
+++ b/builtin/credential/aws-ec2/path_identity_whitelist.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"time"
diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws-ec2/path_login.go
similarity index 99%
rename from builtin/credential/aws/path_login.go
rename to builtin/credential/aws-ec2/path_login.go
index 5e894b26eb..268e02f369 100644
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws-ec2/path_login.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"encoding/json"
diff --git a/builtin/credential/aws/path_role.go b/builtin/credential/aws-ec2/path_role.go
similarity index 99%
rename from builtin/credential/aws/path_role.go
rename to builtin/credential/aws-ec2/path_role.go
index e65bbfa252..d958e5f1bd 100644
--- a/builtin/credential/aws/path_role.go
+++ b/builtin/credential/aws-ec2/path_role.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"fmt"
@@ -54,7 +54,7 @@ using the AMI ID specified by this parameter.`,
 			"disallow_reauthentication": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Default:     false,
-				Description: "If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws/identity-whitelist/<instance_id>' endpoint.",
+				Description: "If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws-ec2/identity-whitelist/<instance_id>' endpoint.",
 			},
 		},
 
diff --git a/builtin/credential/aws/path_role_tag.go b/builtin/credential/aws-ec2/path_role_tag.go
similarity index 99%
rename from builtin/credential/aws/path_role_tag.go
rename to builtin/credential/aws-ec2/path_role_tag.go
index bf48a14b82..5544fd3017 100644
--- a/builtin/credential/aws/path_role_tag.go
+++ b/builtin/credential/aws-ec2/path_role_tag.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"crypto/hmac"
@@ -54,7 +54,7 @@ If set, the created tag can only be used by the instance with the given ID.`,
 			"disallow_reauthentication": &framework.FieldSchema{
 				Type:        framework.TypeBool,
 				Default:     false,
-				Description: "If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using the 'auth/aws/identity-whitelist/<instance_id>' endpoint.",
+				Description: "If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using the 'auth/aws-ec2/identity-whitelist/<instance_id>' endpoint.",
 			},
 		},
 
diff --git a/builtin/credential/aws/path_roletag_blacklist.go b/builtin/credential/aws-ec2/path_roletag_blacklist.go
similarity index 99%
rename from builtin/credential/aws/path_roletag_blacklist.go
rename to builtin/credential/aws-ec2/path_roletag_blacklist.go
index 0bbe33e5c2..62ef923ead 100644
--- a/builtin/credential/aws/path_roletag_blacklist.go
+++ b/builtin/credential/aws-ec2/path_roletag_blacklist.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"encoding/base64"
diff --git a/builtin/credential/aws/path_tidy_identity_whitelist.go b/builtin/credential/aws-ec2/path_tidy_identity_whitelist.go
similarity index 99%
rename from builtin/credential/aws/path_tidy_identity_whitelist.go
rename to builtin/credential/aws-ec2/path_tidy_identity_whitelist.go
index 58c6353787..f16637dbf6 100644
--- a/builtin/credential/aws/path_tidy_identity_whitelist.go
+++ b/builtin/credential/aws-ec2/path_tidy_identity_whitelist.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"fmt"
diff --git a/builtin/credential/aws/path_tidy_roletag_blacklist.go b/builtin/credential/aws-ec2/path_tidy_roletag_blacklist.go
similarity index 99%
rename from builtin/credential/aws/path_tidy_roletag_blacklist.go
rename to builtin/credential/aws-ec2/path_tidy_roletag_blacklist.go
index 6856b3473e..307cfdc7fe 100644
--- a/builtin/credential/aws/path_tidy_roletag_blacklist.go
+++ b/builtin/credential/aws-ec2/path_tidy_roletag_blacklist.go
@@ -1,4 +1,4 @@
-package aws
+package awsec2
 
 import (
 	"fmt"
diff --git a/cli/commands.go b/cli/commands.go
index c6f8d901be..92df1a540d 100644
--- a/cli/commands.go
+++ b/cli/commands.go
@@ -9,7 +9,7 @@ import (
 	"github.com/hashicorp/vault/version"
 
 	credAppId "github.com/hashicorp/vault/builtin/credential/app-id"
-	credAws "github.com/hashicorp/vault/builtin/credential/aws"
+	credAwsEc2 "github.com/hashicorp/vault/builtin/credential/aws-ec2"
 	credCert "github.com/hashicorp/vault/builtin/credential/cert"
 	credGitHub "github.com/hashicorp/vault/builtin/credential/github"
 	credLdap "github.com/hashicorp/vault/builtin/credential/ldap"
@@ -64,7 +64,7 @@ func Commands(metaPtr *meta.Meta) map[string]cli.CommandFactory {
 				},
 				CredentialBackends: map[string]logical.Factory{
 					"cert":     credCert.Factory,
-					"aws":      credAws.Factory,
+					"aws-ec2":  credAwsEc2.Factory,
 					"app-id":   credAppId.Factory,
 					"github":   credGitHub.Factory,
 					"userpass": credUserpass.Factory,
diff --git a/vault/auth.go b/vault/auth.go
index 2c1f2d2868..922580aa01 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -224,6 +224,12 @@ func (c *Core) loadCredentials() error {
 
 		// Upgrade to table-scoped entries
 		for _, entry := range c.auth.Entries {
+			// The auth backend "aws-ec2" was named "aws" in the master.
+			// This is to support upgrade procedure from "aws" to "aws-ec2".
+			if entry.Type == "aws" {
+				entry.Type = "aws-ec2"
+				needPersist = true
+			}
 			if entry.Table == "" {
 				entry.Table = c.auth.Type
 				needPersist = true
diff --git a/vault/auth_test.go b/vault/auth_test.go
index 40dbf8ef40..3df8f2149d 100644
--- a/vault/auth_test.go
+++ b/vault/auth_test.go
@@ -1,12 +1,73 @@
 package vault
 
 import (
+	"encoding/json"
 	"reflect"
 	"testing"
 
 	"github.com/hashicorp/vault/logical"
 )
 
+func TestAuth_UpgradeAWSEC2Auth(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+
+	// create a no-op backend in the name of "aws"
+	c.credentialBackends["aws"] = func(*logical.BackendConfig) (logical.Backend, error) {
+		return &NoopBackend{}, nil
+	}
+
+	// create a mount entry and create an entry in the mount table
+	me := &MountEntry{
+		Table: credentialTableType,
+		Path:  "aws",
+		Type:  "aws",
+	}
+	err := c.enableCredential(me)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// save the mount table with an auth entry for "aws"
+	mt := c.auth
+	before, err := json.Marshal(mt)
+	if err != nil {
+		t.Fatal(err)
+	}
+	entry := &Entry{
+		Key:   coreAuthConfigPath,
+		Value: before,
+	}
+	if err := c.barrier.Put(entry); err != nil {
+		t.Fatal(err)
+	}
+
+	// create an expected value
+	var expectedMt MountTable
+	expectedMt = *c.auth
+
+	for _, entry := range expectedMt.Entries {
+		if entry.Type == "aws" {
+			entry.Type = "aws-ec2"
+		}
+	}
+	expected, err := json.Marshal(&expectedMt)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// loadCredentials should upgrade the mount table and the entry should now be "aws-ec2"
+	err = c.loadCredentials()
+
+	// read the entry back again and compare it with the expected value
+	actual, err := c.barrier.Get(coreAuthConfigPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !reflect.DeepEqual(expected, actual.Value) {
+		t.Fatalf("bad: expected\n%s\ngot\n%s\n", string(expected), string(entry.Value))
+	}
+}
+
 func TestCore_DefaultAuthTable(t *testing.T) {
 	c, key, _ := TestCoreUnsealed(t)
 	verifyDefaultAuthTable(t, c.auth)
diff --git a/website/source/docs/auth/aws.html.md b/website/source/docs/auth/aws-ec2.html.md
similarity index 87%
rename from website/source/docs/auth/aws.html.md
rename to website/source/docs/auth/aws-ec2.html.md
index 37452036b6..34c14c34f0 100644
--- a/website/source/docs/auth/aws.html.md
+++ b/website/source/docs/auth/aws-ec2.html.md
@@ -1,14 +1,14 @@
 ---
 layout: "docs"
-page_title: "Auth Backend: AWS EC2"
-sidebar_current: "docs-auth-aws"
+page_title: "Auth Backend: AWS-EC2"
+sidebar_current: "docs-auth-aws-ec2"
 description: |-
-  The AWS EC2 backend allows automated authentication of AWS EC2 instances.
+  The aws-ec2 backend allows automated authentication of AWS EC2 instances.
 ---
 
-# Auth Backend: AWS EC2
+# Auth Backend: aws-ec2
 
-The AWS EC2 auth backend provides a secure introduction mechanism for AWS EC2
+The aws-ec2 auth backend provides a secure introduction mechanism for AWS EC2
 instances, allowing automated retrieval of a Vault token. Unlike most Vault
 authentication backends, this backend does not require first-deploying, or
 provisioning security-sensitive credentials (tokens, username/password, client
@@ -128,7 +128,7 @@ instance. The tag holds information that represents a *subset* of privileges tha
 are set on the role and are used to further restrict the set of the role's
 privileges for that particular instance.
 
-A `role_tag` can be created using `auth/aws/role/<role>/tag` endpoint
+A `role_tag` can be created using `auth/aws-ec2/role/<role>/tag` endpoint
 and is immutable. The information present in the tag is SHA256 hashed and HMAC
 protected. The per-role key to HMAC is only maintained in the backend. This prevents
 an adversarial operator from modifying the tag when setting it on the EC2 instance
@@ -153,7 +153,7 @@ If an EC2 instance loses its client nonce (due to a reboot, a stop/start of the
 client, etc.), subsequent login attempts will not succeed. If the client nonce
 is lost, normally the only option is to delete the entry corresponding to the
 instance ID from the identity `whitelist` in the backend. This can be done via
-the `auth/aws/identity-whitelist/<instance_id>` endpoint. This allows a new
+the `auth/aws-ec2/identity-whitelist/<instance_id>` endpoint. This allows a new
 client nonce to be accepted by the backend during the next login request.
 
 Under certain circumstances there is another useful setting. When the instance
@@ -213,7 +213,7 @@ to the operator. Although role tags are only restrictive (a tag cannot escalate
 privileges above what is set on its role), if a role tag is found to have been
 used incorrectly, and the administrator wants to ensure that the role tag has no
 further effect, the role tag can be placed on a `blacklist` via the endpoint
-`auth/aws/roletag-blacklist/<role_tag>`. Note that this will not invalidate the
+`auth/aws-ec2/roletag-blacklist/<role_tag>`. Note that this will not invalidate the
 tokens that were already issued; this only blocks any further login requests from
 those instances that have the blacklisted tag attached to them.
 
@@ -248,7 +248,7 @@ provided with the backend is applicable for many regions. Instances whose PKCS#7
 signatures cannot be verified by the default public certificate, can register a
 different public certificate which can be found [here]
 (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html),
-via the `auth/aws/config/certificate/<cert_name>` endpoint.
+via the `auth/aws-ec2/config/certificate/<cert_name>` endpoint.
 
 ### Dangling Tokens
 
@@ -274,19 +274,19 @@ Note: the client uses the official AWS SDK and will use environment variable or
 IAM role-provided credentials if available.
 
 ```
-$ vault write auth/aws/config/client secret_key=vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj access_key=VKIAJBRHKH6EVTTNXDHA
+$ vault write auth/aws-ec2/config/client secret_key=vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj access_key=VKIAJBRHKH6EVTTNXDHA
 ```
 
 #### Configure the policies on the role.
 
 ```
-$ vault write auth/aws/role/dev-role bound_ami_id=ami-fce3c696 policies=prod,dev max_ttl=500h
+$ vault write auth/aws-ec2/role/dev-role bound_ami_id=ami-fce3c696 policies=prod,dev max_ttl=500h
 ```
 
 #### Perform the login operation
 
 ```
-$ vault write auth/aws/login role=dev-role pkcs7=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA nonce=vault-client-nonce
+$ vault write auth/aws-ec2/login role=dev-role pkcs7=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA nonce=vault-client-nonce
 ```
 
 
@@ -301,19 +301,19 @@ curl -X POST -H "x-vault-token:123" "http://127.0.0.1:8200/v1/sys/auth/aws" -d '
 #### Configure the credentials required to make AWS API calls.
 
 ```
-curl -X POST -H "x-vault-token:123" "http://127.0.0.1:8200/v1/auth/aws/config/client" -d '{"access_key":"VKIAJBRHKH6EVTTNXDHA", "secret_key":"vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"}'
+curl -X POST -H "x-vault-token:123" "http://127.0.0.1:8200/v1/auth/aws-ec2/config/client" -d '{"access_key":"VKIAJBRHKH6EVTTNXDHA", "secret_key":"vCtSM8ZUEQ3mOFVlYPBQkf2sO6F/W7a5TVzrl3Oj"}'
 ```
 
 #### Configure the policies on the role.
 
 ```
-curl -X POST -H "x-vault-token:123" "http://127.0.0.1:8200/v1/auth/aws/role/dev-role -d '{"bound_ami_id":"ami-fce3c696","policies":"prod,dev","max_ttl":"500h"}'
+curl -X POST -H "x-vault-token:123" "http://127.0.0.1:8200/v1/auth/aws-ec2/role/dev-role -d '{"bound_ami_id":"ami-fce3c696","policies":"prod,dev","max_ttl":"500h"}'
 ```
 
 #### Perform the login operation
 
 ```
-curl -X POST "http://127.0.0.1:8200/v1/auth/aws/login" -d '{"role":"dev-role","pkcs7":"MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA","nonce":"vault-client-nonce"}'
+curl -X POST "http://127.0.0.1:8200/v1/auth/aws-ec2/login" -d '{"role":"dev-role","pkcs7":"MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAaCAJIAEggGmewogICJkZXZwYXlQcm9kdWN0Q29kZXMiIDogbnVsbCwKICAicHJpdmF0ZUlwIiA6ICIxNzIuMzEuNjMuNjAiLAogICJhdmFpbGFiaWxpdHlab25lIiA6ICJ1cy1lYXN0LTFjIiwKICAidmVyc2lvbiIgOiAiMjAxMC0wOC0zMSIsCiAgImluc3RhbmNlSWQiIDogImktZGUwZjEzNDQiLAogICJiaWxsaW5nUHJvZHVjdHMiIDogbnVsbCwKICAiaW5zdGFuY2VUeXBlIiA6ICJ0Mi5taWNybyIsCiAgImFjY291bnRJZCIgOiAiMjQxNjU2NjE1ODU5IiwKICAiaW1hZ2VJZCIgOiAiYW1pLWZjZTNjNjk2IiwKICAicGVuZGluZ1RpbWUiIDogIjIwMTYtMDQtMDVUMTY6MjY6NTVaIiwKICAiYXJjaGl0ZWN0dXJlIiA6ICJ4ODZfNjQiLAogICJrZXJuZWxJZCIgOiBudWxsLAogICJyYW1kaXNrSWQiIDogbnVsbCwKICAicmVnaW9uIiA6ICJ1cy1lYXN0LTEiCn0AAAAAAAAxggEXMIIBEwIBATBpMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQwIJAJa6SNnlXhpnMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MDUxNjI3MDBaMCMGCSqGSIb3DQEJBDEWBBRtiynzMTNfTw1TV/d8NvfgVw+XfTAJBgcqhkjOOAQDBC4wLAIUVfpVcNYoOKzN1c+h1Vsm/c5U0tQCFAK/K72idWrONIqMOVJ8Uen0wYg4AAAAAAAA","nonce":"vault-client-nonce"}'
 ```
 
 
@@ -347,7 +347,7 @@ The response will be in JSON. For example:
 ```
 
 ## API
-### /auth/aws/config/client
+### /auth/aws-ec2/config/client
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -368,7 +368,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/client`</dd>
+  <dd>`/auth/aws-ec2/config/client`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -412,7 +412,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/client`</dd>
+  <dd>`/auth/aws-ec2/config/client`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -452,7 +452,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/client`</dd>
+  <dd>`/auth/aws-ec2/config/client`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -465,7 +465,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/config/certificate/<cert_name>
+### /auth/aws-ec2/config/certificate/<cert_name>
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -478,7 +478,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/certificate/<cert_name>`</dd>
+  <dd>`/auth/aws-ec2/config/certificate/<cert_name>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -515,7 +515,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/certificate/<cert_name>`</dd>
+  <dd>`/auth/aws-ec2/config/certificate/<cert_name>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -552,7 +552,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/certificates?list=true`</dd>
+  <dd>`/auth/aws-ec2/config/certificates?list=true`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -580,7 +580,7 @@ The response will be in JSON. For example:
   </dd>
 </dl>
 
-### /auth/aws/config/tidy/identity-whitelist
+### /auth/aws-ec2/config/tidy/identity-whitelist
 ##### POST
 <dl class="api">
   <dt>Description</dt>
@@ -592,7 +592,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/identity-whitelist`</dd>
+  <dd>`/auth/aws-ec2/config/tidy/identity-whitelist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -631,7 +631,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/identity-whitelist`</dd>
+  <dd>`/auth/aws-ec2/config/tidy/identity-whitelist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -669,7 +669,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/identity-whitelist`</dd>
+  <dd>`/auth/aws-ec2/config/tidy/identity-whitelist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -683,7 +683,7 @@ The response will be in JSON. For example:
 
 
 
-### /auth/aws/config/tidy/roletag-blacklist
+### /auth/aws-ec2/config/tidy/roletag-blacklist
 ##### POST
 <dl class="api">
   <dt>Description</dt>
@@ -695,7 +695,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/roletag-blacklist`</dd>
+  <dd>`/auth/aws-ec2/config/tidy/roletag-blacklist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -733,7 +733,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/roletag-blacklist`</dd>
+  <dd>`/auth/aws-ec2/config/tidy/roletag-blacklist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -771,7 +771,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/roletag-blacklist`</dd>
+  <dd>`/auth/aws-ec2/config/tidy/roletag-blacklist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -785,7 +785,7 @@ The response will be in JSON. For example:
 
 
 
-### /auth/aws/role/<role>
+### /auth/aws-ec2/role/<role>
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -801,7 +801,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/role/<role>`</dd>
+  <dd>`/auth/aws-ec2/role/<role>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -854,7 +854,7 @@ The response will be in JSON. For example:
       <li>
         <span class="param">disallow_reauthentication</span>
         <span class="param-flags">optional</span>
-        If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws/identity-whitelist/<instance_id>' endpoint. Defaults to 'false'.
+        If set, only allows a single token to be granted per instance ID. In order to perform a fresh login, the entry in whitelist for the instance ID needs to be cleared using 'auth/aws-ec2/identity-whitelist/<instance_id>' endpoint. Defaults to 'false'.
       </li>
     </ul>
   </dd>
@@ -876,7 +876,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/role/<role>`</dd>
+  <dd>`/auth/aws-ec2/role/<role>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -923,7 +923,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/roles?list=true`</dd>
+  <dd>`/auth/aws-ec2/roles?list=true`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -964,7 +964,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/role/<role>`</dd>
+  <dd>`/auth/aws-ec2/role/<role>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -977,7 +977,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/role/<role>/tag
+### /auth/aws-ec2/role/<role>/tag
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -990,7 +990,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/role/<role>/tag`</dd>
+  <dd>`/auth/aws-ec2/role/<role>/tag`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1028,7 +1028,7 @@ The response will be in JSON. For example:
       <li>
         <span class="param">disallow_reauthentication</span>
         <span class="param-flags">optional</span>
-        If set, only allows a single token to be granted per instance ID. This can be cleared with the auth/aws/identity-whitelist endpoint. Defaults to 'false'.
+        If set, only allows a single token to be granted per instance ID. This can be cleared with the auth/aws-ec2/identity-whitelist endpoint. Defaults to 'false'.
       </li>
     </ul>
     <ul>
@@ -1061,7 +1061,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/login
+### /auth/aws-ec2/login
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -1075,7 +1075,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/login`</dd>
+  <dd>`/auth/aws-ec2/login`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1140,7 +1140,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/roletag-blacklist/<role_tag>
+### /auth/aws-ec2/roletag-blacklist/<role_tag>
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -1156,7 +1156,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/roletag-blacklist/<role_tag>`</dd>
+  <dd>`/auth/aws-ec2/roletag-blacklist/<role_tag>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1187,7 +1187,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/broletag-blacklist/<role_tag>`</dd>
+  <dd>`/auth/aws-ec2/broletag-blacklist/<role_tag>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1226,7 +1226,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/roletag-blacklist?list=true`</dd>
+  <dd>`/auth/aws-ec2/roletag-blacklist?list=true`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1266,7 +1266,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/roletag-blacklist/<role_tag>`</dd>
+  <dd>`/auth/aws-ec2/roletag-blacklist/<role_tag>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1279,7 +1279,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/tidy/roletag-blacklist
+### /auth/aws-ec2/tidy/roletag-blacklist
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -1291,7 +1291,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/tidy/roletag-blacklist`</dd>
+  <dd>`/auth/aws-ec2/tidy/roletag-blacklist`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1310,7 +1310,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/identity-whitelist/<instance_id>
+### /auth/aws-ec2/identity-whitelist/<instance_id>
 #### GET
 <dl class="api">
   <dt>Description</dt>
@@ -1322,7 +1322,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/identity-whitelist/<instance_id>`</dd>
+  <dd>`/auth/aws-ec2/identity-whitelist/<instance_id>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1371,7 +1371,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/identity-whitelist?list=true`</dd>
+  <dd>`/auth/aws-ec2/identity-whitelist?list=true`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1411,7 +1411,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/identity-whitelist/<instance_id>`</dd>
+  <dd>`/auth/aws-ec2/identity-whitelist/<instance_id>`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1424,7 +1424,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/tidy/identity-whitelist
+### /auth/aws-ec2/tidy/identity-whitelist
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -1436,7 +1436,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/tidy/identity-whitelist`</dd>
+  <dd>`/auth/aws-ec2/tidy/identity-whitelist`</dd>
 
   <dt>Parameters</dt>
   <dd>
diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb
index 386a1396be..92ca793a03 100644
--- a/website/source/layouts/docs.erb
+++ b/website/source/layouts/docs.erb
@@ -186,8 +186,8 @@
 							<a href="/docs/auth/userpass.html">Username &amp; Password</a>
 						</li>
 
-						<li<%= sidebar_current("docs-auth-aws") %>>
-							<a href="/docs/auth/aws.html">AWS EC2 Auth</a>
+						<li<%= sidebar_current("docs-auth-aws-ec2") %>>
+							<a href="/docs/auth/aws-ec2.html">AWS EC2 Auth</a>
 						</li>
 					</ul>
 				</li>