From https://stackoverflow.com/questions/44734572/assumed-role-in-aws-lambda-access-denied-on-ssm-call

It really depends on the command you use in your Lambda.

If you use boto3.client('ssm').get_parameters(Names=[param1, param2]), then you need "Action": ["ssm:GetParameters"],

or alternatively when you use boto3.client('ssm').get_parameter(Name=param), you would need "Action": ["ssm:GetParameter"]