AWS IAM Permissions to Create Tags

Had a hard time getting this to work, and it turns out that only permissions to the "ec2:CreateTags" action is needed, however, the moment the resource is constrained (even to all resources within a specific region), I was unable to tag an EC2 instance. I was only able to tag an EC2 instance when the "Resource" was set to *

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "Stmtxxxxxxxx",            "Effect": "Allow",            "Action": [                "ec2:CreateTags"            ],            "Resource": [                "*"            ]        }    ] }