Cognito error calling iam:CreateServiceLinkedRole

Question

I'm trying to switch from Cognito's default email system to using SES. However, when I try to make the switch to a verified SES email, I get the following error:

[NotAuthorizedException] Failed to update user pool email configuration.

requestId: xxx
time: Sun Apr 17 2022 17:27:25 GMT+0100 (BST)
code: NotAuthorizedException
message: Error calling iam:CreateServiceLinkedRole API. Make sure credentials calling the API allow 'email.cognito-idp.amazonaws.com' to call this API.

I have a sending authorisation policy for my SES mail, which looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "stmnt1234567891234",
      "Effect": "Allow",
      "Principal": {
        "Service": "email.cognito-idp.amazonaws.com"
      },
      "Action": "SES:*",
      "Resource": "arn:aws:ses:eu-west-2:123412341234:identity/[email protected]",
      "Condition": {}
    }
  ]
}

But I still keep getting this unauthorised message.

TIA