How about 'NoEcho' type of CFN parameters?
The term “parameters” is unfortunately overloaded.
CloudFormation parameters are used within CF. We were referring to parameters in Parameter Store.
But then, how do you get the secret value from CF to parameter store? If you put the value of the parameter in your template, then it is stored unencrypted in your template that is probably in source control.
For that, I use a combination of NoEcho in CF and use that user entered value as a !Ref when creating the parameter store. Run the template manually one time and then you can have it default to the existing value.
But you need a custom resource to create a secure string type.