diff --git a/packages/@aws-cdk/aws-ssm/README.md b/packages/@aws-cdk/aws-ssm/README.md
index 2a47ba47c2529..54e7acab8cec0 100644
--- a/packages/@aws-cdk/aws-ssm/README.md
+++ b/packages/@aws-cdk/aws-ssm/README.md
@@ -38,7 +38,7 @@ your CDK app by using `ssm.ParameterStoreString`:
 
 You can create either `ssm.StringParameter` or `ssm.StringListParameter`s in
 a CDK app. These are public (not secret) values. Parameters of type
-*SecretString* cannot be created directly from a CDK application; if you want
+*SecureString* cannot be created directly from a CDK application; if you want
 to provision secrets automatically, use Secrets Manager Secrets (see the
 `@aws-cdk/aws-secretsmanager` package).
 
diff --git a/packages/@aws-cdk/aws-ssm/lib/parameter.ts b/packages/@aws-cdk/aws-ssm/lib/parameter.ts
index df30c8197cf91..a33759d7cf014 100644
--- a/packages/@aws-cdk/aws-ssm/lib/parameter.ts
+++ b/packages/@aws-cdk/aws-ssm/lib/parameter.ts
@@ -202,7 +202,9 @@ export enum ParameterType {
   STRING = 'String',
   /**
    * Secure String
+   *
    * Parameter Store uses an AWS Key Management Service (KMS) customer master key (CMK) to encrypt the parameter value.
+   * Parameters of type SecureString cannot be created directly from a CDK application.
    */
   SECURE_STRING = 'SecureString',
   /**