Limitations on unauthenticated Cognito identities?

Question

I'm trying to use an unauthenticated Cognito identity to call ec2.describeInstanceStatus using the JavaScript for web SDK. When I try to call that or the similar ec2.describeInstances, I get an UnauthorizedOperation error and a HTTP 403 forbidden.  
  
I checked the IAM role permissions against the IAM Policy Simulator and the role should have the proper permissions to perform those actions.... I even gave it "AmazonEC2FullAccess (IAM Policy)" and nothing else on a new IAM Role since I was at a loss. I still got UnauthorizedOperation.  
  
... This leads me to my question. Do unauthenticated Cognito identities have limitations on services/calls? I am able to invoke Lambda functions using the same IAM role and using the same basic JavaScript/HTML so I know the unauthenticated identity works for at least _some_ actions.  
  
Thanks for the help!

Answer

Answer found: From https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#access-policies  
  
For additional security protection, Amazon Cognito applies a scope-down policy to credentials vended by GetCredentialForIdentity to prevent access to services other than the ones listed below for your unauthenticated users. In other words, this policy allows an identity using these credentials with access to only some services (list in link).  
  
EC2 is not in that list.

Limitations on unauthenticated Cognito identities?

관련 콘텐츠