If you encounter an error like:
ElasticMapReduce Cluster with Id cluster-name is in state TERMINATED_WITH_ERRORS and failed to stabilize due to the following reason: {Code: VALIDATION_ERROR, Message: Service role EMR_DefaultRole has insufficient EC2 permissions}
This typically means your EMR service role (EMR_DefaultRole) does not have the required permissions to launch EC2 instances for your cluster.
Step 1: Check CloudTrail for Details
Go to AWS CloudTrail and look for RunInstances events around the time your cluster failed.
You may see an error like:
User: arn:aws:sts::xxx:assumed-role/EMR_DefaultRole/CCSSession is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1:xxx:subnet/subnet-02xxx because no identity-based policy allows the ec2:RunInstances action
Step 2: Understand the Cause
If you are using the AmazonEMRServicePolicy_v2 managed policy, it restricts EC2 actions (like RunInstances) to only those subnets (and security groups) tagged with:
Key: for-use-with-amazon-emr-managed-policies
Value: true
If your subnet or security group is not tagged this way, EMR cannot launch instances in it.
Step 3: Solution — Add the Required Tag
To fix this:
Go to the AWS Console → VPC → Subnets.
Find the subnet referenced in your EMR cluster (e.g., subnet-02cdb82893447260a).
Add the following tag:
Key: for-use-with-amazon-emr-managed-policies
Value: true
Repeat for any security groups referenced by your EMR cluster.
Step 4: Retry Your EMR Cluster
After tagging, re-launch your EMR cluster.
It should now have the permissions needed to launch EC2 instances.
Top comments (0)