Joseph,
As ASA do not support any sort of tunnel-interface-based VPN, you're correct in thinking that you cannot use a VTI.
By "policy-based VPN" I'm assuming that you're referring to a crypto map? If so, here's a pretty good supportforums post which discusses building a tunnel between an IOS router (ie. your CSR) and an ASA. As for the pre-shared key, you should have these configured with whatever IP address will actually be seen by the device. For example, if the real IP address on your CSR is 10.1.1.1, but it's being NAT'd to 64.1.1.1, you should have the 64.1.1.1 address in the ASA configuration for your pre-shared key, crypto map peer, and tunnel group name. The same is true on the CSR if the ASA were to be behind NAT. (There is an exception to this if you choose to use ISAKMP profiles, but let's not complicate things).
You may want to consider taking a look at the general Security > VPN supportforums posts as they would probably be very helpful. While having a CSR in AWS is somewhat unique situations, the majority of "typical" VPN configuration and troubleshooting will apply here as well.
HTH,
Frank