Changing from Resource * to Explicit Access Results in An error occurred (AccessDeniedException)

While attempting to migrate all occurrences of "Resource": "*" there is one IAM Policy that does not work as expected. It is resulting in an access denied error and there is no clear reason why.

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeReplicationInstances operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/xxx-xxx-data-env-stop-blu-dev-us-east-1-rolef2288a3ea069e71d/xxx-data-env-stop-blu-dev is not authorized to perform: dms:DescribeReplicationInstances because no identity-based policy allows the dms:DescribeReplicationInstances action

The error occurs in a Lambda that stops/starts dms and rds instances on a given schedule.

Curently, there are only three Replication Instances and all of them are listed in the Resource section of the policy.

Here is the Resource Section of the Lambda Configuration showing the 3 DMS instances as resources for the DescribeReplicationAccess Action.

Here is the pertinent section of the Lambda's Role Document: (There is no access denied error when the * wildcard is used here for Resource)

Here are the three DMS Replication Instances.

Can anyone point out what is missing. Does DescribeReplicationInstances require a wildcard in order to work?