SSH into the EC2 instance and run the following command:

aws ssm get-parameters --names MySecureParameter --with-decryption --region us-east-1

We should get the following response:

The parameter value should be decrypted.

We also have a get-parameter subcommand for the aws ssm CLI command; however, currently, the AWS-provided AmazonEC2RoleForEC2 role does not include it. You can add the permission manually and then use get-parameter.