Access to AWS resources requires permissions. You will now create an IAM role to grant permissions that the agent needs to write metrics to CloudWatch. Amazon created two new default policies called CloudWatchAgentServerPolicy and CloudWatchAgentAdminPolicy only for that purpose.
To create the IAM role first you will need to sign in to the AWS Management Console and open the IAM console
In the navigation pane on the left, choose Roles and then Create role.
Under Choose the service that will use this role, choose EC2 Allows EC2 instances to call AWS services on your behalf. Choose Next: Permissions.
In the list of policies, select the check box next to CloudWatchAgentServerPolicy. If necessary, use the search box to find the policy, click Next: Tags:
Add tags (optional) for this policy, click Next: Review.
Confirm that CloudWatchAgentServerPolicy appears next to Policies. In Role name, enter a name for the role, such as CloudWatchAgentServerRole. Optionally give it a description. Then click Create role.
The role is now created.