- False – the KMS service allows you to use AWS-created keys as well as your own private keys
- A KMS alias
- CloudFormation Exports
- False – you can recover the secret for a configurable period of time, up to a maximum of 30 days
- The AWS CLI and jq utility
- You must grant the kms:Decrypt permission for the KMS key that was used to encrypt the secret value
- The NoEcho property
- The AWS_DEFAULT_REGION environment variable