Access Denied Error while creating Elasticsearch domain using serverless

My serverless.yml file looks like this

service: ham-services-elasticsearch

custom:
  # Our stage is based on what is passed in when running serverless
  # commands. Or fallsback to what we have set in the provider section.
  stage: ${opt:stage, self:provider.stage}

provider:
  name: aws
  runtime: nodejs8.10
  stage: dev
  region: eu-west-1
  iamRoleStatements:
    - Effect: Allow
      Action:
        - es:*
      Resource: 'arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/*'

resources:
  Resources:
    HamElasticSearch:
      Type: "AWS::Elasticsearch::Domain"
      Properties:
        ElasticsearchVersion: "6.5"
        DomainName: "ham-management"
        ElasticsearchClusterConfig:
          DedicatedMasterEnabled: false
          InstanceCount: "1"
          ZoneAwarenessEnabled: false
          InstanceType: "t2.small.elasticsearch"
        EBSOptions:
          EBSEnabled: true
          Iops: 0
          VolumeSize: 10
          VolumeType: "gp2"
        AccessPolicies:
          Version: "2012-10-17"
          Statement: 
            - 
              Effect: "Allow"
              Principal: 
                AWS: "arn:aws:iam::#{AWS::AccountId}:user/ts-hga"
              Action: "es:*"
              Resource: "arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/*"
        AdvancedOptions: 
          rest.action.multi.allow_explicit_index: "true"
  Outputs:
    HamElasticSearchArn:
      Value:
         Fn::GetAtt:
          - HamElasticSearch
          - DomainArn
      Export:
        Name: ${self:provider.stage}-HamElasticSearchArn
    HamElasticSearchEndPoint:
      Value:
        Fn::GetAtt:
          - HamElasticSearch
          - DomainEndpoint
      Export:
        Name: ${self:provider.stage}-HamElasticSearchEndPoint

plugins:
  - serverless-pseudo-parameters

When I do serverless deploy I am getting below error in the terminal

 An error occurred: HamElasticSearch - User: arn:aws:iam::**{AccountID}**:user/ts-hga is not authorized to perform: es:AddTags on resource: arn:aws:es:eu-west-1:**{AccountID}**:domain/* (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: dfd4f4a0-8603-11e9-86db-ff5f56201154).

What could be the potential reason for the same?. Any help would be greatly appreciated.