How to Fix AWS Service Not Enabled Errors (OptInRequired, SubscriptionRequired)

You called an AWS API, ran terraform apply, or clicked something in the console and got an error saying the service is not enabled, you need to opt in, or a subscription is required. There are four distinct root causes that all produce similar error text. This page helps you identify which one you have and fix it in the shortest path possible.

This is a fix-it page. For background on how AWS service enablement works conceptually, see Enabling AWS Services.

Quick diagnosis

Error textWhat it usually meansFastest checkFix
OptInRequiredRegion not activated for this accountaws ec2 describe-regions --all-regionsEnable region via console or aws account enable-region
SubscriptionRequiredMarketplace product or AI service ToS not acceptedCheck Marketplace listing or service consoleVisit console, accept terms or subscribe
AccessDeniedException: not enabledSecurity service never activated in this account/regionaws guardduty list-detectors (or equivalent)Enable the service via CLI or console
AccessDeniedException: not authorizedIAM or SCP restriction, not an enablement issueCloudTrail event for the failed callFix IAM policy or SCP — see IAM overview
No error but unexpected behaviorQuota limit hit, not an enablement issueaws service-quotas list-service-quotasRequest quota increase — see Service Quotas

When to use this page

Use this page if you see any of these in your terminal, Terraform output, or console:

  • OptInRequired or opt-in in the error message
  • SubscriptionRequired or subscription required
  • GuardDuty is not enabled on this account
  • Security Hub is not enabled
  • Macie is not enabled
  • Config is not enabled or no configuration recorder

If the error says AccessDenied without a service-specific enablement message, the cause is more likely an IAM or SCP issue. See Terraform Permission Errors or IAM Access Denied Errors.

How this error actually happens

AWS has three separate mechanisms that all produce “not enabled” style errors:

  1. Opt-in regions. Newer AWS regions require account-level activation. Your account cannot make API calls to those regions until you opt in, even if the region exists and other accounts can use it.
  2. Security services off by default. Services like GuardDuty, Security Hub, Config, and Macie are disabled in every new account and every region. They must be turned on before any API call works, including read-only calls.
  3. Marketplace or ToS gating. Some services and AMIs are behind a terms-of-service or subscription wall. The service exists and the region is active, but you cannot use that specific product until you accept the agreement.
How to think about it

Think of your AWS account like a hotel room key. The hotel (AWS) exists and the floor (region) is open to other guests, but your specific key has not been programmed for that floor yet. OptInRequired means you need to program the key. SubscriptionRequired means the floor requires a separate access pass you have not collected. A security service being off is like a smoke detector in the room that shipped in the box and was never switched on.

Each root cause has a different fix. The sections below address each one.

OptInRequired: region not enabled on your account

OptInRequired appears when you target an opt-in region that your account has not activated. AWS launched newer geographic regions as opt-in by default — your account must explicitly enable them before you can create resources or make API calls there. Default regions like us-east-1, us-west-2, and eu-west-1 are active automatically. Opt-in regions include ap-east-1 (Hong Kong), me-south-1 (Bahrain), af-south-1 (Cape Town), and others added since the original launch.

For a full explanation of how regions and opt-in status work, see Regions and Availability Zones.

Diagnose#

aws ec2 describe-regions \
  --all-regions \
  --query 'Regions[*].[RegionName,OptInStatus]' \
  --output table

Look for not-opted-in in the OptInStatus column. Regions showing opt-in-not-required are default regions. Regions showing opted-in are already active.

Fix#

Enable the region from the console (Account Settings > Regions) or via CLI:

# Requires account:EnableRegion permission — typically root or a dedicated admin role
aws account enable-region --region-name ap-east-1
Wait for propagation before retrying

Region activation is asynchronous. Propagation time varies and AWS does not guarantee a fixed window. Wait until describe-regions shows opted-in for that region before re-running your command or Terraform. Retrying too early will produce the same error.

Note: the Account service always uses the us-east-1 endpoint regardless of which region you are enabling.

SubscriptionRequired: Marketplace or AI service terms not accepted

SubscriptionRequired means the product requires a subscription or terms-of-service acceptance that your account has not completed. Common cases:

  • AWS Marketplace AMIs and software products
  • Amazon Rekognition facial recognition features
  • Amazon Comprehend Medical
  • Certain Amazon Bedrock model providers
AI service terms are separate from IAM permissions

Even if your IAM role has full permissions to call Rekognition or Comprehend Medical, you will still get SubscriptionRequired if the account has never accepted the service-specific terms. Granting more IAM permissions will not fix it.

Diagnose#

The error message usually includes a URL to the Marketplace listing or the service console. If it does not, find the product in the Marketplace console or the relevant service console and look for a “Subscribe” or “Accept Terms” button.

Fix#

For Marketplace products: visit the listing in the AWS Marketplace console, click “Continue to Subscribe,” review the pricing, and accept. The subscription activates within a few minutes.

For Terraform workflows that reference a Marketplace AMI, the data source will fail if the subscription is not active:

# This fails with SubscriptionRequired if the AMI's Marketplace subscription
# is not active for your account. Accept it in the console first.
data "aws_ami" "marketplace_image" {
  owners      = ["679593333241"]
  most_recent = true
  filter {
    name   = "name"
    values = ["marketplace-ami-name-*"]
  }
}

Accept the subscription in the console, then run terraform apply.

Service not enabled on this account: security services off by default

GuardDuty, Security Hub, AWS Config, Amazon Macie, Amazon Detective, and Amazon Inspector are disabled by default in every account and every region. The error text varies by service but the root cause is the same: the service has never been turned on.

These services are separate from region opt-in. Even in a default region like us-east-1, they are off until you enable them.

Diagnose#

# GuardDuty
aws guardduty list-detectors --region us-east-1

# Security Hub
aws securityhub describe-hub --region us-east-1

# Macie
aws macie2 get-macie-session --region us-east-1

# Config
aws configservice describe-configuration-recorder-status

An empty DetectorIds list for GuardDuty, or a “not enabled” error for the others, confirms the service is off.

Fix#

# Enable GuardDuty
aws guardduty create-detector \
  --enable \
  --finding-publishing-frequency FIFTEEN_MINUTES \
  --region us-east-1

# Enable Security Hub — also activates default security standards
aws securityhub enable-security-hub \
  --enable-default-standards \
  --region us-east-1

# Enable Macie
aws macie2 enable-macie --region us-east-1

Security Hub begins evaluating your account against CIS AWS Foundations Benchmark checks immediately on enablement. GuardDuty charges are based on the volume of CloudTrail events and VPC Flow Logs it analyzes, so review pricing before enabling at scale.

These services are regional — every region needs its own enablement

Enabling GuardDuty in us-east-1 does not protect us-west-2. Repeat the enablement command in every region where you run workloads, or use the Organizations method in the section below. A single missed region is a common audit finding.

Region not enabled vs. service not available in region

These two situations produce similar errors but have different resolutions:

Region not enabled (you can fix it). The region exists, the service runs there, but your account has not opted in. The error is OptInRequired. Run aws account enable-region and retry.

Service not available in region (you cannot fix it). AWS has not launched the service in that region yet. No amount of opting in will help. Check the AWS regional services list to confirm whether the service exists in the target region before spending time on enablement steps.

Terraform-specific failure patterns

Terraform surfaces enablement errors differently from the CLI because it runs multiple API calls per resource, and the failure can appear on a read step rather than a write step.

Pattern 1: Resource creation fails because the region is not opted in#

│ Error: error creating GuardDuty Detector: BadRequestException:
│ The request failed because the account is not enabled for GuardDuty.

This is misleading. The Terraform resource is supposed to enable GuardDuty, but the underlying issue is that the region itself is not opted in.

Terraform cannot enable opt-in regions

Region enablement is handled by the AWS Account service, which is completely separate from the resource providers Terraform manages. There is no Terraform resource that enables a region. You must do it outside of Terraform first.

# Confirm the region opt-in status
aws ec2 describe-regions \
  --all-regions \
  --query 'Regions[?RegionName==`ap-east-1`].[RegionName,OptInStatus]'

Fix: enable the region, wait for activation to propagate, re-run terraform apply.

Pattern 2: Data source fails because a Marketplace subscription is not active#

│ Error: no matching AMI found

The AMI exists but the Marketplace subscription is missing for your account. Fix: accept the subscription in the console, then retry. This is not a Terraform bug.

Pattern 3: Plan succeeds but apply fails on a dependent resource#

This happens when a security service needs to be enabled before a dependent resource can be created (for example, a GuardDuty finding export). Plan does not call the APIs that trigger the enablement check — apply does.

Fix: add an explicit enablement resource in Terraform and use depends_on to sequence it before dependent resources.

For Terraform errors that look like permission problems rather than enablement problems, see Terraform Permission Errors.

Organization and multi-account cases

In a multi-account AWS Organizations setup, enabling services account-by-account is not practical. Use the delegated administrator model instead.

Designate an admin account and enable auto-enrollment#

# From the organization management account
aws guardduty enable-organization-admin-account \
  --admin-account-id 111122223333 \
  --region us-east-1

# From the delegated admin account
aws guardduty update-organization-configuration \
  --detector-id abc123detector \
  --auto-enable \
  --region us-east-1

With --auto-enable set, new accounts that join the organization automatically get GuardDuty enabled.

Check which services have organization integration enabled#

aws organizations list-aws-service-access-for-organization
The management account is not automatically covered

Organization-level auto-enable covers member accounts only. The management account must be enrolled in each service separately. This is one of the most common gaps that security audits surface in AWS Organizations setups. Do not assume the management account is protected just because you enabled a service organization-wide.

For CloudTrail organization trails: an organization trail logs events from all member accounts, but security services still need to be enabled in each account independently. The trail does not substitute for service enablement.

The management account gap is also a common reason security monitoring dashboards show incomplete coverage across the organization.

Step-by-step troubleshooting checklist

Work through these in order:

  1. Read the exact error code. Is it OptInRequired, SubscriptionRequired, or AccessDeniedException?
  2. If AccessDeniedException: check whether the message mentions a specific service being disabled (enablement issue) or says “not authorized to perform” (IAM or SCP issue with a different fix path).
  3. If OptInRequired: run describe-regions to confirm the region opt-in status. Enable the region, wait for propagation, retry.
  4. If SubscriptionRequired: find the Marketplace listing or service console, accept the terms or subscribe, retry.
  5. If service-specific “not enabled”: run the service’s list or describe command to confirm it is off. Enable it, retry.
  6. If the issue is in Terraform: determine whether the failure is region opt-in (fix outside Terraform), subscription (fix in console), or service enablement (add enablement resource to Terraform and sequence with depends_on).
  7. If still failing: check CloudTrail for the event. A genuine enablement error shows OptInRequired or a service-level disabled message. If instead you see errorCode: AccessDenied on an IAM event, the problem is permissions, not enablement.
  8. If the service seems enabled but still not working: check Service Quotas. A quota limit can produce errors that resemble enablement failures.

Common mistakes

  1. Enabling a service in one region and expecting it to cover all regions. GuardDuty, Config, Security Hub, and Macie are all regional. Enable them in every region where you run workloads, or use Organizations auto-enable.
  2. Assuming Terraform can enable opt-in regions. It cannot. Region enablement is in the Account service, separate from resource providers. Enable the region before running Terraform.
  3. Treating AccessDeniedException as an enablement error. Many IAM and SCP denials surface as AccessDeniedException. If the message says “not authorized to perform” rather than “service not enabled,” fix the IAM policy or SCP, not the service enablement.
  4. Confusing “service not available in region” with “service not enabled.” The first is a permanent AWS limitation. The second is an account setting you can change. Check the AWS regional services list before spending time on enablement steps for a service that does not exist in the target region.
  5. Forgetting the organization management account. Organization-level auto-enable covers member accounts, not the management account itself. Enable services there separately.
  6. Not accounting for costs before bulk enablement. Enabling GuardDuty across 10 accounts in 4 regions multiplies costs 40x. Monitor costs for the first few weeks after bulk enablement.

Service not enabled vs. similar errors

SituationError textRoot causeFix
Region not opted inOptInRequiredAccount-level region settingaws account enable-region
Marketplace or ToS not acceptedSubscriptionRequiredMissing subscription or terms acceptanceAccept in console
Security service offAccessDeniedException: not enabledService never activated in account or regionEnable via CLI or console
IAM or SCP denialAccessDeniedException: not authorizedMissing IAM permission or SCP blockFix policy — see IAM overview
Service quota exceededVaries by serviceUsage limit reachedRequest increase — see Service Quotas
Service temporarily unavailableHTTP 503 or service errorTransient AWS issueRetry with backoff; check AWS Health Dashboard

FAQ

What is the difference between OptInRequired and AccessDeniedException? OptInRequired means your account has not been activated for the region. You can fix it yourself. AccessDeniedException can look identical but usually means an IAM policy, SCP, or permission boundary is blocking the call. If the message says “not authorized to perform” rather than “opt-in,” check IAM policies and SCPs first. See IAM overview.

Why does GuardDuty need to be enabled in every region separately? Most AWS security services are regional. Enabling GuardDuty in us-east-1 does not protect resources in eu-west-1. Create a detector in each region you want covered, or use the AWS Organizations auto-enable feature to do it at scale.

Can Terraform enable opt-in regions automatically? No. Region enablement uses the AWS Account service API, which is separate from resource creation. Terraform cannot enable a region as a side effect of creating a resource there. Enable the region first, wait for propagation, then run Terraform. For Terraform permission patterns, see Terraform Permission Errors.

What is the difference between “service not available in region” and “service not enabled”? Service not available means AWS has not launched that service in that region. You cannot use it there regardless of account settings. Service not enabled means the service exists in the region but your account has not opted in or activated it. OptInRequired is the latter and is fixable. Check the AWS regional services list to distinguish the two.

How do I enable services across all accounts in an AWS Organization at once? Use the AWS Organizations delegated administrator model. Designate a member account as the admin for the service, then enable auto-enrollment. Any account that joins the organization will automatically have the service enabled. The management account must be enrolled separately.

Frequently asked questions

What is the difference between OptInRequired and AccessDeniedException?

OptInRequired means your account has not been activated for the region — it is an account-level configuration issue you can fix yourself. AccessDeniedException can look identical but usually means an IAM policy, SCP, or permission boundary is blocking the call. If the message says "not authorized to perform" rather than "opt-in," fix the IAM policy or SCP instead.

Why does GuardDuty need to be enabled in every region separately?

Most AWS security services are regional — they analyze data within a specific region only. Enabling GuardDuty in us-east-1 does not protect resources in eu-west-1. Create a detector in each region you want covered, or use the AWS Organizations auto-enable feature to do it at scale.

Can Terraform enable opt-in regions automatically?

No. Region enablement uses the AWS Account service API, which is separate from resource creation. Terraform cannot enable a region as a side effect of creating a resource there. Enable the region first via the console or CLI, wait for activation to propagate, then run Terraform.

What is the difference between "service not available in region" and "service not enabled"?

Service not available means AWS has not launched that service in that region at all — you cannot use it there regardless of account settings. Service not enabled means the service exists in the region but your account has not opted in or activated it. OptInRequired is the latter and is fixable. Check the AWS regional services list to distinguish the two before spending time on enablement steps.

How do I enable services across all accounts in an AWS Organization at once?

Use the AWS Organizations delegated administrator model. Designate a member account as the admin for the service, then enable auto-enrollment. Any account that joins the organization will automatically have the service enabled. The management account must be enrolled separately — it is not covered by bulk member-account enablement.

Last verified: 13 May 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.