SSH into the EC2 instance and run the following command:
aws ssm get-parameters --names MySecureParameter --with-decryption --region us-east-1
We should get the following response:
The parameter value should be decrypted.
We also have a get-parameter subcommand for the aws ssm CLI command; however, currently, the AWS-provided AmazonEC2RoleForEC2 role does not include it. You can add the permission manually and then use get-parameter.