AWS CloudFormation manage secrets with System Manager Parameter

lambda.js

const axios = require('axios')

/**
 * AWS clients
 */
const SSM = require('aws-sdk/clients/ssm')
const ssm = new SSM()

/**
 * Lambda handler
 **/
module.exports = async () => {
  
  // Retrieve parameter value
  let { Parameter: param } = await ssm.getParameter({
    Name: process.env.SECRET_PARAMETER_NAME
  }).promise()

  // Use the value
  await axios.post('/protected', {}, {
    headers: {
      'Authorization': `Basic ${param.Value}` 
    }
  })
}

template.yml

AWSTemplateFormatVersion: 2010-09-09
Transform:
  - AWS::Serverless-2016-10-31

# Template Parameters

Parameters:
  SecretValue:
    Type: String
    Description: "A secret value"
    NoEcho: true

# Global function defaults

Globals:
  Function:
    Runtime: nodejs12.x
    Timeout: 3
    CodeUri: ./

# Template Resources

Resources:
  SecretValueParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Type: String
      Value: !Ref Parameters

  LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-function"
      Handler: lambda.handler
      Environment:
        Variables:
          SECRET_PARAMETER_NAME: !Ref SecretValueParameter
      Policies:
        - SSMParameterReadPolicy: 
            ParameterName: !Ref SecretValueParameter