For an application to be able to read parameter store values I need to give it permission to do so and if secure string values are used the application/consumer also needs access to the KMS key they were encrypted with.
But what is the point of using secure strings if I already have to explicitly allow access to the value in the first place, if I allow you to request the parameter I will of course also allow you to decrypt it. Additionally the values are actually returned decrypted to the requester if they have access to the KMS key and they are requested "with decryption" so it's not about in-flight security either.
For reference:
https://docs.aws.amazon.com/kms/latest/developerguide/services-parameter-store.html https://docs.aws.amazon.com/cli/latest/reference/ssm/get-parameter.html https://aws.amazon.com/blogs/mt/the-right-way-to-store-secrets-using-parameter-store/
It's the same use case for encrypting EBS volumes. It prevents Amazon employees, or anyone who stole the hardware or something, from being able to access your sensitive material.