AWS SSM Parameter Store with CloudFormation
Support for this has been added so you no longer need to use a custom resource. You have to use a dynamic reference to a secure parameter.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
Using this feature you can use add {{resolve:ssm-secure:parameter-name:version}}
to your user data within a Fn::Join
CF intrinsic.
As of April 2019 secure strings are not available as a parameter type in cloudformation templates however the documentation states that CloudFormation will support the Parameter Store ‘SecureString’ type in a later release.