How to Enable AWS Services, Regions, and Account Features

Most AWS services work the moment you create an account. You do not need to activate EC2, S3, Lambda, or the majority of the service catalogue. But some things do require a manual step before they work: certain Regions need to be opted in, some security services must be turned on per-Region, and a few account-level features need one-time activation.

Beginners often hit confusing errors because they mix up these three types of enablement. This guide explains each one, shows you how to check whether something is enabled, and covers the most common services that require setup.

Analogy

Think of your AWS account like a new apartment building. The building itself (your account) is ready the moment you move in. Most rooms (services) are unlocked and usable. But some wings of the building (opt-in Regions) are sealed off until you request access from the front desk. Some appliances inside open rooms (security services) are installed but switched off at the breaker. And a few building-wide systems like the intercom (account features) need the building manager to flip a master switch before they work anywhere.

Quick checklist

Before you deploy to a new Region or expect a service to produce data, check these three things:

  1. Is the Region enabled? Opt-in Regions (introduced after March 2019) must be activated in Account Settings.
  2. Is the service enabled in that Region? GuardDuty, Security Hub, and AWS Config must be turned on individually per-Region.
  3. Is the account-level feature activated? Cost Explorer, IAM Identity Center, and similar features need a one-time activation for the whole account.

Simple explanation

“Enabling” something in AWS means one of three different things depending on what you are trying to use. Understanding which type you are dealing with tells you where to go and what to do.

  • Opt-in Region. A geographic location that is not active by default. You enable it at the account level, and then all services in that Region become available.

  • Region-scoped service. A service that exists in your account but does nothing until you explicitly turn it on in each Region where you want it. GuardDuty is the classic example.

  • Account-level feature. A feature that applies across your entire account (or organization) and only needs to be activated once. Cost Explorer and IAM Identity Center fall into this category.

Why this matters

When you skip an enablement step, things break in ways that look like permission errors or missing features:

  • You try to launch an EC2 instance in a newer Region and get an error saying the Region is not available.
  • You open the GuardDuty console expecting threat findings and see nothing because the detector was never created.
  • You check Cost Explorer for spending data and the dashboard is blank because the feature was not activated.
  • You expect Security Hub to show compliance findings, but the hub was never enabled in that Region.
  • You configure AWS Config rules but no resources are being recorded because the configuration recorder was never started.
Warning

These are not bugs or permission problems. They are enablement gaps. Before you start debugging IAM policies or service configurations, always confirm the service is actually turned on in the Region you are working in.

How enabling works in AWS

1. Opt-in Regions

AWS Regions introduced before March 2019 are enabled by default. Newer Regions require you to opt in before you can use them. This exists so that your IAM credentials are not valid in Regions you never intend to use, which reduces your security surface.

You enable opt-in Regions from Account Settings in the AWS Management Console, or using the AWS CLI. Once enabled, all services available in that Region become accessible to your account. Enablement typically takes a few minutes.

2. Services that must be turned on in a Region

Some services are available in every active Region but do not run until you explicitly enable them. These are mostly security and monitoring services that need to create detectors, recorders, or hubs before they produce data.

The key detail: enabling one of these services in us-east-1 does not enable it in eu-west-1. Each Region is independent. If you have workloads in three Regions, you need to enable the service in all three.

Analogy

Region-scoped services are like smoke detectors in a house. The house (your account) comes with the wiring for them, but each room (Region) has its own detector that must be individually switched on. Installing one in the kitchen does not protect the bedroom.

3. Account-level features that must be activated

A smaller set of features apply to the entire AWS account (or organization) and only need to be turned on once. These are not Region-specific. Once activated, they work globally.

What you are enablingScopeWhere you enable itExampleWhat breaks if you forget
Opt-in RegionAccount-wideAccount Settings or aws account enable-regionap-east-1 (Hong Kong)Cannot create any resources in that Region
GuardDutyPer-RegionGuardDuty console or aws guardduty create-detectorEnable in us-east-1No threat detection findings in that Region
Security HubPer-RegionSecurity Hub console or aws securityhub enable-security-hubEnable in eu-west-1No aggregated security findings or compliance checks
AWS ConfigPer-RegionConfig console or CLI setupStart the configuration recorderNo resource configuration history or compliance evaluation
Cost ExplorerAccount-wideBilling consoleOne-time activationNo spending dashboards or cost reports
IAM Identity CenterAccount-wide (one home Region)IAM Identity Center consoleChoose a home Region during setupNo centralized SSO or federated access

When you need to enable something

You will encounter enablement steps in these common situations:

  • Deploying to a newer Region. If the Region was introduced after March 2019, you need to opt in first.
  • Setting up security monitoring. GuardDuty, Security Hub, and AWS Config all require explicit enablement before they produce findings.
  • Using centralized access. IAM Identity Center must be enabled before you can set up SSO for an AWS Organization.
  • Analyzing costs. Cost Explorer must be activated before you can view spending reports or use the Cost Explorer API.
  • Following a tutorial. Many guides assume features like CloudTrail trails or Config recorders already exist. If the tutorial skips the setup step, you may need to do it yourself.
  • Running compliance checks. Security standards in Security Hub require both Security Hub and AWS Config to be enabled in the same Region.

Common examples

Opt-in AWS Regions

Opt-in Regions are Regions that AWS added after March 2019. They are disabled by default to limit the geographic scope of your IAM credentials. You must activate them before deploying resources there.

Examples of opt-in Regions:

  • af-south-1 (Cape Town)
  • ap-east-1 (Hong Kong)
  • ap-southeast-3 (Jakarta)
  • eu-south-1 (Milan)
  • me-south-1 (Bahrain)
  • me-central-1 (UAE)
# List all Regions and their opt-in status
aws ec2 describe-regions \
  --all-regions \
  --query 'Regions[*].{Region:RegionName,Status:OptInStatus}' \
  --output table

# Enable an opt-in Region
aws account enable-region --region-name ap-east-1
Note

Enabling a Region takes a few minutes. After activation, IAM users and roles in your account can create resources there. You can also disable a Region later, but disabling does not delete resources that are already running in it.

AWS GuardDuty

GuardDuty is a threat detection service. It analyzes CloudTrail logs, VPC Flow Logs, and DNS logs for suspicious activity. It is Region-scoped, so you must enable it separately in each Region where you want threat detection.

Beginners often enable GuardDuty in their primary Region and assume it covers everything. It does not. If you have workloads in us-east-1 and eu-west-1, you need a detector in both.

# Enable GuardDuty in the current Region
aws guardduty create-detector --enable

# Check if GuardDuty is enabled (returns detector IDs if active)
aws guardduty list-detectors
Tip

If you use AWS Organizations, you can designate a delegated administrator account and enable GuardDuty across all member accounts and Regions from one place, instead of repeating the process manually.

AWS Security Hub

Security Hub aggregates security findings from GuardDuty, Inspector, Macie, and other services. It also runs automated compliance checks against standards like CIS Benchmarks. It is Region-scoped.

Security Hub depends on AWS Config. If Config is not enabled in the same Region, Security Hub’s compliance checks will not work correctly.

# Enable Security Hub with default security standards
aws securityhub enable-security-hub --enable-default-standards

# Check Security Hub status
aws securityhub describe-hub
Warning

Enabling Security Hub without AWS Config is a common setup mistake. Security Hub needs Config’s resource recordings to evaluate compliance standards. Always enable both in the same Region.

AWS Config

AWS Config records configuration changes to your resources and evaluates them against compliance rules. It is Region-scoped: you set up a configuration recorder in each Region where you want to track resource changes.

Config is a dependency for Security Hub compliance checks. If you enable Security Hub but not Config, compliance findings will be incomplete or missing.

# Check if AWS Config has a recorder
aws configservice describe-configuration-recorders

# Check recorder status
aws configservice describe-configuration-recorder-status

AWS CloudTrail

CloudTrail logs API activity in your account. This is the service that causes the most confusion around enablement, because part of it is on by default and part of it is not.

What is on by default: Every AWS account has CloudTrail Event History, which records 90 days of management events automatically. You can view this in the console right now without creating anything. It covers the Region you are viewing.

What requires setup: If you want to store logs long-term in S3, capture data events (like S3 object access or Lambda invocations), or create a single trail that covers all Regions, you must create a trail explicitly.

# Create a multi-region trail
aws cloudtrail create-trail \
  --name my-account-trail \
  --s3-bucket-name my-cloudtrail-logs-bucket \
  --is-multi-region-trail

# Start logging on the trail
aws cloudtrail start-logging --name my-account-trail
Analogy

CloudTrail Event History is like the security camera footage your building stores for 90 days automatically. Creating a trail is like hiring a service to archive that footage permanently and expand the cameras to cover every floor. The basic coverage exists either way, but the archive gives you long-term records and broader reach.

AWS Cost Explorer

Cost Explorer must be activated before you can view spending dashboards or use the Cost Explorer API. It is an account-level feature. You enable it once from the Billing console.

Historical data: After you enable Cost Explorer, AWS makes up to 12 months of historical billing data available. The billing system was already collecting this data. Cost Explorer simply provides the interface to view it. It takes up to 24 hours after enablement for the data to appear.

Tip

A common misconception is that Cost Explorer cannot show any data from before you enabled it. That is not true. The billing data exists regardless. Cost Explorer is just the visualization layer. Enable it as early as possible so it is ready when you need it.

IAM Identity Center

IAM Identity Center (formerly AWS SSO) is not enabled by default. You enable it from the IAM Identity Center console and choose a home Region during setup. It is an account-level feature that manages access across all accounts in your organization from a single configuration.

Warning

Identity Center must be enabled in the management account of the organization, not in a member account. If you try to enable it in a member account, it either fails or creates a standalone configuration that is not connected to your organization.

How to check whether something is enabled

Use this checklist when something is not working as expected:

  • Region status: Run aws ec2 describe-regions —all-regions and check the OptInStatus field. A value of opted-in or opt-in-not-required means the Region is active.

  • GuardDuty: Run aws guardduty list-detectors. An empty list means it is not enabled in that Region.

  • Security Hub: Run aws securityhub describe-hub. An error means it is not enabled.

  • AWS Config: Run aws configservice describe-configuration-recorder-status. Check that recording is true.

  • CloudTrail trail: Run aws cloudtrail describe-trails. An empty list means no custom trail exists (Event History still works without one).

  • Cost Explorer: Open the Cost Explorer page in the Billing console. If it prompts you to enable it, it has not been activated yet.

Tip

When checking Region-scoped services, always confirm you are querying the correct Region. Add —region eu-west-1 to any CLI command to target a specific Region instead of relying on your default.

Common beginner mistakes

  1. Confusing Region activation with service activation. Enabling an opt-in Region makes it available for resource deployment. It does not automatically turn on Region-scoped services like GuardDuty or Config. These are two separate steps.

  2. Enabling a service in one Region and assuming it covers all Regions. GuardDuty, Security Hub, and AWS Config are Region-scoped. If you have workloads in three Regions, enable these services in all three independently.

  3. Thinking CloudTrail is completely off until you create a trail. Event History records 90 days of management events automatically. Creating a trail adds long-term storage and multi-Region coverage, but basic event logging is already happening.

  4. Assuming Cost Explorer cannot show data from before enablement. Cost Explorer surfaces up to 12 months of historical billing data. The data was always there. You are just enabling the interface to view it.

  5. Enabling a feature in a member account instead of the management account. IAM Identity Center and some organization-level features must be enabled in the management account of your AWS Organization. Enabling them in a member account either fails or creates a standalone configuration.

  6. Enabling Security Hub without enabling AWS Config. Security Hub’s compliance checks depend on Config resource recordings. Without Config active in the same Region, compliance standards produce incomplete results.

Enabling a Region vs enabling a service

This distinction trips up beginners more than anything else on this page.

Enabling a RegionEnabling a service in a Region
What it doesMakes a geographic location available to your accountTurns on a specific tool within an already-active Region
When you need itOnly for opt-in Regions (post-March 2019)For services like GuardDuty, Security Hub, AWS Config
Where you do itAccount SettingsThe service’s own console or CLI
Effect on other servicesUnlocks all services in that RegionOnly affects the one service you enabled
Must you repeat it?Once per Region, per accountOnce per Region, per service

A useful rule of thumb: if the error says the Region is not available, you have a Region enablement problem. If the Region works fine but a specific feature is empty or missing, you have a service enablement problem. See AWS Service Not Enabled Errors for detailed troubleshooting.

Troubleshooting signs you forgot to enable something

If you see any of these symptoms, check the enablement status before investigating permissions or configuration:

  • “Service not available in selected Region” means the Region is likely an opt-in Region that has not been activated.
  • Empty dashboards in GuardDuty or Security Hub means the service has not been enabled in the Region you are viewing.
  • Missing findings or compliance results means either the service is not enabled, or a dependency (like Config for Security Hub) is missing.
  • Cost Explorer shows no data means the feature has not been activated, or it was activated less than 24 hours ago.
  • Permissions appear correct but a feature does not work. Having IAM permission to use a service does not mean the service is enabled. Permission and enablement are independent.
  • CloudTrail shows no trails. You may be looking for a trail when Event History is what you actually need, or vice versa.
Note

Many of these symptoms look identical to permission errors. The fastest way to tell the difference: if the error persists even with an administrator policy attached, the problem is almost certainly enablement, not permissions.

Frequently asked questions

Do all AWS services need to be enabled first?

No. Most AWS services are available immediately in every default Region. You can start using EC2, S3, Lambda, and hundreds of other services the moment your account is active. The exceptions are opt-in Regions (which must be activated in Account Settings), certain security services like GuardDuty and Security Hub (which must be enabled per-Region), and account-level features like Cost Explorer (which must be turned on once for the whole account).

What is the difference between enabling a Region and enabling a service?

Enabling a Region makes that geographic location available to your account so you can create resources there. Enabling a service is a separate step that turns on a specific tool (like GuardDuty or AWS Config) within a Region that is already active. You must enable the Region first, then enable any opt-in services inside it.

Is CloudTrail already on by default?

Partially. Every AWS account automatically records 90 days of management event history in CloudTrail Event History. You can view this in the console without creating anything. However, if you want to store logs long-term in S3, capture data events, or cover all Regions with a single configuration, you must create a trail explicitly.

Does Cost Explorer show older data after I enable it?

Yes. When you enable Cost Explorer, AWS makes up to 12 months of historical billing data available. The data was always being collected by the billing system. Cost Explorer takes up to 24 hours to process and display it after you enable the feature.

Why does a service work in one Region but not another?

There are two common reasons. First, the target Region might be an opt-in Region that has not been activated for your account. Second, a Region-scoped service like GuardDuty or AWS Config must be enabled separately in each Region. Enabling it in us-east-1 does not turn it on in eu-west-1.

Last verified: 29 March 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.