CloudWatchの設定で、Error in putting config to parameter~ のエラーがでる

cloudwatchの設定で、ウィザードでの設定を行っていたところ、最後にこのようなエラーが出ました。

[root@ip-]# /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-config-wizard
=============================================================
= Welcome to the AWS CloudWatch Agent Configuration Manager =
=============================================================
On which OS are you planning to use the agent?

~~~~~~~
~~~~~~~

Please make sure the creds you used have the right permissions configured for SSM access.
Which AWS credential should be used to send json config to parameter store?
1. ASIAV5IVKYW*******(From SDK)
2. Other
default choice: [1]:
1
Please make sure the creds you used have the right permissions configured for SSM access.
Error in putting config to parameter store AmazonCloudWatch-linux: AccessDeniedException: User: arn:aws:sts::406456026499:assumed-role/CloudWatchAgent/i-079d2342df149606c is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:ap-northeast-1:406456026499:parameter/AmazonCloudWatch-linux

SSMのアクセスに対して適切なポリシーではないよと怒られています。
Error in putting config to parameter ~ とあるのでパラメーターを設置する際にエラーがでているようです。

AWS側から提供されている管理ポリシーは

• CloudWatchAgentServerPolicy
  
• CloudWatchAgentAdminPolicy
  

です。それぞれの内容を見てみると

CloudWatchAgentServerPolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "ec2:DescribeVolumes",
                "ec2:DescribeTags",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
        }
    ]
}

CloudWatchAgentAdminPolicy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData",
                "ec2:DescribeTags",
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:PutParameter"
            ],
            "Resource": "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
        }
    ]
}

CloudWatchAgentServerPolicyにssm:PutParameter権限を追加したものがCloudWatchAgentAdminPolicyです。
今回CloudWatchAgentServerPolicyのみをアタッチしていたのが原因でした。

CloudWatchAgentAdminPolicyをアタッチすることで解決しました。

Successfully put config to parameter store AmazonCloudWatch-linuxx.
Program exits now.