You can add an [inline policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) to your user or group:
``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ssm:GetParameter", "Resource": "*" } ] } ```
If you want, you can replace `"*"` with `"arn:aws:ssm:us-west-1:yyy:parameter/cdk-bootstrap/hnb659fds/*"` to limit the permissions to only the parameter you want.

You can add an [inline policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#inline-policies) to your `role/AWSCloudFormation`:
``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "iam:CreateRole", "Resource": "*" } ] } ```