How to Fix AWS Service Not Enabled Errors (OptInRequired, SubscriptionRequired)
You called an AWS API, ran terraform apply, or clicked something in the console and got an error saying the service is not enabled, you need to opt in, or a subscription is required. There are four distinct root causes that all produce similar error text. This page helps you identify which one you have and fix it in the shortest path possible.
This is a fix-it page. For background on how AWS service enablement works conceptually, see Enabling AWS Services.
Quick diagnosis
| Error text | What it usually means | Fastest check | Fix |
|---|---|---|---|
OptInRequired | Region not activated for this account | aws ec2 describe-regions --all-regions | Enable region via console or aws account enable-region |
SubscriptionRequired | Marketplace product or AI service ToS not accepted | Check Marketplace listing or service console | Visit console, accept terms or subscribe |
AccessDeniedException: not enabled | Security service never activated in this account/region | aws guardduty list-detectors (or equivalent) | Enable the service via CLI or console |
AccessDeniedException: not authorized | IAM or SCP restriction, not an enablement issue | CloudTrail event for the failed call | Fix IAM policy or SCP — see IAM overview |
| No error but unexpected behavior | Quota limit hit, not an enablement issue | aws service-quotas list-service-quotas | Request quota increase — see Service Quotas |
When to use this page
Use this page if you see any of these in your terminal, Terraform output, or console:
OptInRequiredoropt-inin the error messageSubscriptionRequiredorsubscription requiredGuardDuty is not enabled on this accountSecurity Hub is not enabledMacie is not enabledConfig is not enabledorno configuration recorder
If the error says AccessDenied without a service-specific enablement message, the cause is more likely an IAM or SCP issue. See Terraform Permission Errors or IAM Access Denied Errors.
How this error actually happens
AWS has three separate mechanisms that all produce “not enabled” style errors:
- Opt-in regions. Newer AWS regions require account-level activation. Your account cannot make API calls to those regions until you opt in, even if the region exists and other accounts can use it.
- Security services off by default. Services like GuardDuty, Security Hub, Config, and Macie are disabled in every new account and every region. They must be turned on before any API call works, including read-only calls.
- Marketplace or ToS gating. Some services and AMIs are behind a terms-of-service or subscription wall. The service exists and the region is active, but you cannot use that specific product until you accept the agreement.
Think of your AWS account like a hotel room key. The hotel (AWS) exists and the floor (region) is open to other guests, but your specific key has not been programmed for that floor yet. OptInRequired means you need to program the key. SubscriptionRequired means the floor requires a separate access pass you have not collected. A security service being off is like a smoke detector in the room that shipped in the box and was never switched on.
Each root cause has a different fix. The sections below address each one.
OptInRequired: region not enabled on your account
OptInRequired appears when you target an opt-in region that your account has not activated. AWS launched newer geographic regions as opt-in by default — your account must explicitly enable them before you can create resources or make API calls there. Default regions like us-east-1, us-west-2, and eu-west-1 are active automatically. Opt-in regions include ap-east-1 (Hong Kong), me-south-1 (Bahrain), af-south-1 (Cape Town), and others added since the original launch.
For a full explanation of how regions and opt-in status work, see Regions and Availability Zones.
Diagnose#
aws ec2 describe-regions \
--all-regions \
--query 'Regions[*].[RegionName,OptInStatus]' \
--output tableLook for not-opted-in in the OptInStatus column. Regions showing opt-in-not-required are default regions. Regions showing opted-in are already active.
Fix#
Enable the region from the console (Account Settings > Regions) or via CLI:
# Requires account:EnableRegion permission — typically root or a dedicated admin role
aws account enable-region --region-name ap-east-1Region activation is asynchronous. Propagation time varies and AWS does not guarantee a fixed window. Wait until describe-regions shows opted-in for that region before re-running your command or Terraform. Retrying too early will produce the same error.
Note: the Account service always uses the us-east-1 endpoint regardless of which region you are enabling.
SubscriptionRequired: Marketplace or AI service terms not accepted
SubscriptionRequired means the product requires a subscription or terms-of-service acceptance that your account has not completed. Common cases:
- AWS Marketplace AMIs and software products
- Amazon Rekognition facial recognition features
- Amazon Comprehend Medical
- Certain Amazon Bedrock model providers
Even if your IAM role has full permissions to call Rekognition or Comprehend Medical, you will still get SubscriptionRequired if the account has never accepted the service-specific terms. Granting more IAM permissions will not fix it.
Diagnose#
The error message usually includes a URL to the Marketplace listing or the service console. If it does not, find the product in the Marketplace console or the relevant service console and look for a “Subscribe” or “Accept Terms” button.
Fix#
For Marketplace products: visit the listing in the AWS Marketplace console, click “Continue to Subscribe,” review the pricing, and accept. The subscription activates within a few minutes.
For Terraform workflows that reference a Marketplace AMI, the data source will fail if the subscription is not active:
# This fails with SubscriptionRequired if the AMI's Marketplace subscription
# is not active for your account. Accept it in the console first.
data "aws_ami" "marketplace_image" {
owners = ["679593333241"]
most_recent = true
filter {
name = "name"
values = ["marketplace-ami-name-*"]
}
}Accept the subscription in the console, then run terraform apply.
Service not enabled on this account: security services off by default
GuardDuty, Security Hub, AWS Config, Amazon Macie, Amazon Detective, and Amazon Inspector are disabled by default in every account and every region. The error text varies by service but the root cause is the same: the service has never been turned on.
These services are separate from region opt-in. Even in a default region like us-east-1, they are off until you enable them.
Diagnose#
# GuardDuty
aws guardduty list-detectors --region us-east-1
# Security Hub
aws securityhub describe-hub --region us-east-1
# Macie
aws macie2 get-macie-session --region us-east-1
# Config
aws configservice describe-configuration-recorder-statusAn empty DetectorIds list for GuardDuty, or a “not enabled” error for the others, confirms the service is off.
Fix#
# Enable GuardDuty
aws guardduty create-detector \
--enable \
--finding-publishing-frequency FIFTEEN_MINUTES \
--region us-east-1
# Enable Security Hub — also activates default security standards
aws securityhub enable-security-hub \
--enable-default-standards \
--region us-east-1
# Enable Macie
aws macie2 enable-macie --region us-east-1Security Hub begins evaluating your account against CIS AWS Foundations Benchmark checks immediately on enablement. GuardDuty charges are based on the volume of CloudTrail events and VPC Flow Logs it analyzes, so review pricing before enabling at scale.
Enabling GuardDuty in us-east-1 does not protect us-west-2. Repeat the enablement command in every region where you run workloads, or use the Organizations method in the section below. A single missed region is a common audit finding.
Region not enabled vs. service not available in region
These two situations produce similar errors but have different resolutions:
Region not enabled (you can fix it). The region exists, the service runs there, but your account has not opted in. The error is OptInRequired. Run aws account enable-region and retry.
Service not available in region (you cannot fix it). AWS has not launched the service in that region yet. No amount of opting in will help. Check the AWS regional services list to confirm whether the service exists in the target region before spending time on enablement steps.
Terraform-specific failure patterns
Terraform surfaces enablement errors differently from the CLI because it runs multiple API calls per resource, and the failure can appear on a read step rather than a write step.
Pattern 1: Resource creation fails because the region is not opted in#
│ Error: error creating GuardDuty Detector: BadRequestException:
│ The request failed because the account is not enabled for GuardDuty.This is misleading. The Terraform resource is supposed to enable GuardDuty, but the underlying issue is that the region itself is not opted in.
Region enablement is handled by the AWS Account service, which is completely separate from the resource providers Terraform manages. There is no Terraform resource that enables a region. You must do it outside of Terraform first.
# Confirm the region opt-in status
aws ec2 describe-regions \
--all-regions \
--query 'Regions[?RegionName==`ap-east-1`].[RegionName,OptInStatus]'Fix: enable the region, wait for activation to propagate, re-run terraform apply.
Pattern 2: Data source fails because a Marketplace subscription is not active#
│ Error: no matching AMI foundThe AMI exists but the Marketplace subscription is missing for your account. Fix: accept the subscription in the console, then retry. This is not a Terraform bug.
Pattern 3: Plan succeeds but apply fails on a dependent resource#
This happens when a security service needs to be enabled before a dependent resource can be created (for example, a GuardDuty finding export). Plan does not call the APIs that trigger the enablement check — apply does.
Fix: add an explicit enablement resource in Terraform and use depends_on to sequence it before dependent resources.
For Terraform errors that look like permission problems rather than enablement problems, see Terraform Permission Errors.
Organization and multi-account cases
In a multi-account AWS Organizations setup, enabling services account-by-account is not practical. Use the delegated administrator model instead.
Designate an admin account and enable auto-enrollment#
# From the organization management account
aws guardduty enable-organization-admin-account \
--admin-account-id 111122223333 \
--region us-east-1
# From the delegated admin account
aws guardduty update-organization-configuration \
--detector-id abc123detector \
--auto-enable \
--region us-east-1With --auto-enable set, new accounts that join the organization automatically get GuardDuty enabled.
Check which services have organization integration enabled#
aws organizations list-aws-service-access-for-organizationOrganization-level auto-enable covers member accounts only. The management account must be enrolled in each service separately. This is one of the most common gaps that security audits surface in AWS Organizations setups. Do not assume the management account is protected just because you enabled a service organization-wide.
For CloudTrail organization trails: an organization trail logs events from all member accounts, but security services still need to be enabled in each account independently. The trail does not substitute for service enablement.
The management account gap is also a common reason security monitoring dashboards show incomplete coverage across the organization.
Step-by-step troubleshooting checklist
Work through these in order:
- Read the exact error code. Is it
OptInRequired,SubscriptionRequired, orAccessDeniedException? - If
AccessDeniedException: check whether the message mentions a specific service being disabled (enablement issue) or says “not authorized to perform” (IAM or SCP issue with a different fix path). - If
OptInRequired: rundescribe-regionsto confirm the region opt-in status. Enable the region, wait for propagation, retry. - If
SubscriptionRequired: find the Marketplace listing or service console, accept the terms or subscribe, retry. - If service-specific “not enabled”: run the service’s list or describe command to confirm it is off. Enable it, retry.
- If the issue is in Terraform: determine whether the failure is region opt-in (fix outside Terraform), subscription (fix in console), or service enablement (add enablement resource to Terraform and sequence with
depends_on). - If still failing: check CloudTrail for the event. A genuine enablement error shows
OptInRequiredor a service-level disabled message. If instead you seeerrorCode: AccessDeniedon an IAM event, the problem is permissions, not enablement. - If the service seems enabled but still not working: check Service Quotas. A quota limit can produce errors that resemble enablement failures.
Common mistakes
- Enabling a service in one region and expecting it to cover all regions. GuardDuty, Config, Security Hub, and Macie are all regional. Enable them in every region where you run workloads, or use Organizations auto-enable.
- Assuming Terraform can enable opt-in regions. It cannot. Region enablement is in the Account service, separate from resource providers. Enable the region before running Terraform.
- Treating AccessDeniedException as an enablement error. Many IAM and SCP denials surface as AccessDeniedException. If the message says “not authorized to perform” rather than “service not enabled,” fix the IAM policy or SCP, not the service enablement.
- Confusing “service not available in region” with “service not enabled.” The first is a permanent AWS limitation. The second is an account setting you can change. Check the AWS regional services list before spending time on enablement steps for a service that does not exist in the target region.
- Forgetting the organization management account. Organization-level auto-enable covers member accounts, not the management account itself. Enable services there separately.
- Not accounting for costs before bulk enablement. Enabling GuardDuty across 10 accounts in 4 regions multiplies costs 40x. Monitor costs for the first few weeks after bulk enablement.
Service not enabled vs. similar errors
| Situation | Error text | Root cause | Fix |
|---|---|---|---|
| Region not opted in | OptInRequired | Account-level region setting | aws account enable-region |
| Marketplace or ToS not accepted | SubscriptionRequired | Missing subscription or terms acceptance | Accept in console |
| Security service off | AccessDeniedException: not enabled | Service never activated in account or region | Enable via CLI or console |
| IAM or SCP denial | AccessDeniedException: not authorized | Missing IAM permission or SCP block | Fix policy — see IAM overview |
| Service quota exceeded | Varies by service | Usage limit reached | Request increase — see Service Quotas |
| Service temporarily unavailable | HTTP 503 or service error | Transient AWS issue | Retry with backoff; check AWS Health Dashboard |
FAQ
What is the difference between OptInRequired and AccessDeniedException?
OptInRequired means your account has not been activated for the region. You can fix it yourself. AccessDeniedException can look identical but usually means an IAM policy, SCP, or permission boundary is blocking the call. If the message says “not authorized to perform” rather than “opt-in,” check IAM policies and SCPs first. See IAM overview.
Why does GuardDuty need to be enabled in every region separately? Most AWS security services are regional. Enabling GuardDuty in us-east-1 does not protect resources in eu-west-1. Create a detector in each region you want covered, or use the AWS Organizations auto-enable feature to do it at scale.
Can Terraform enable opt-in regions automatically? No. Region enablement uses the AWS Account service API, which is separate from resource creation. Terraform cannot enable a region as a side effect of creating a resource there. Enable the region first, wait for propagation, then run Terraform. For Terraform permission patterns, see Terraform Permission Errors.
What is the difference between “service not available in region” and “service not enabled”?
Service not available means AWS has not launched that service in that region. You cannot use it there regardless of account settings. Service not enabled means the service exists in the region but your account has not opted in or activated it. OptInRequired is the latter and is fixable. Check the AWS regional services list to distinguish the two.
How do I enable services across all accounts in an AWS Organization at once? Use the AWS Organizations delegated administrator model. Designate a member account as the admin for the service, then enable auto-enrollment. Any account that joins the organization will automatically have the service enabled. The management account must be enrolled separately.
Frequently asked questions
What is the difference between OptInRequired and AccessDeniedException?
OptInRequired means your account has not been activated for the region — it is an account-level configuration issue you can fix yourself. AccessDeniedException can look identical but usually means an IAM policy, SCP, or permission boundary is blocking the call. If the message says "not authorized to perform" rather than "opt-in," fix the IAM policy or SCP instead.
Why does GuardDuty need to be enabled in every region separately?
Most AWS security services are regional — they analyze data within a specific region only. Enabling GuardDuty in us-east-1 does not protect resources in eu-west-1. Create a detector in each region you want covered, or use the AWS Organizations auto-enable feature to do it at scale.
Can Terraform enable opt-in regions automatically?
No. Region enablement uses the AWS Account service API, which is separate from resource creation. Terraform cannot enable a region as a side effect of creating a resource there. Enable the region first via the console or CLI, wait for activation to propagate, then run Terraform.
What is the difference between "service not available in region" and "service not enabled"?
Service not available means AWS has not launched that service in that region at all — you cannot use it there regardless of account settings. Service not enabled means the service exists in the region but your account has not opted in or activated it. OptInRequired is the latter and is fixable. Check the AWS regional services list to distinguish the two before spending time on enablement steps.
How do I enable services across all accounts in an AWS Organization at once?
Use the AWS Organizations delegated administrator model. Designate a member account as the admin for the service, then enable auto-enrollment. Any account that joins the organization will automatically have the service enabled. The management account must be enrolled separately — it is not covered by bulk member-account enablement.