how to scope ec2:RunInstances action

you can create an IAM group or role, such as EC2LaunchAllowed, and attach a policy allowing the necessary actions to this group or role. Then, add users who should have this permission to the group or assign them the role. This approach is both straightforward and secure.

Hello.

When creating EC2, I think the following documents will be helpful.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/supported-iam-actions-tagging.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyRunInstancesWithoutTag",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/Project": "true"
                }
            }
        }
    ]
}

If you want to start EC2, you can use "ec2:StartInstances".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Statement2",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:RebootInstances"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:instance/*"
            ],
            "Condition": {
                "Null": {
                    "ec2:ResourceTag/Owner": false
                },
                "StringEqualsIfExists": {
                    "ec2:ResourceTag/Owner": "HOGE"
                }
            }
        }
    ]
}