For me, I was able to reduce the calls from lambda pretty significantly by doing the parameter pull step outside of the handler, so it is available as part of the execution context between runs (similar to how many people do DB connection with lambda). I still do the decrypt step within the handler though because I don't like the idea of having decrypted values lying around, but the limit for KMS decrypt operations is independent of SSM, and is a 10k/s shared limit in the regions I use, so I haven't had any issues yet.