EnableAllFeatures - AWS Organizations


Enables all features in an organization. This enables the use of organization policies that can restrict the services and actions that can be called in each account. Until you enable all features, you have access only to consolidated billing, and you can't use any of the advanced account administration features that AWS Organizations supports. For more information, see Enabling All Features in Your Organization in the AWS Organizations User Guide.


This operation is required only for organizations that were created explicitly with only the consolidated billing features enabled. Calling this operation sends a handshake to every invited account in the organization. The feature set change can be finalized and the additional features enabled only after all administrators in the invited accounts approve the change by accepting the handshake.

After you enable all features, you can separately enable or disable individual policy types in a root using EnablePolicyType and DisablePolicyType. To see the status of policy types in a root, use ListRoots.

After all invited member accounts accept the handshake, you finalize the feature set change by accepting the handshake that contains "Action": "ENABLE_ALL_FEATURES". This completes the change.

After you enable all features in your organization, the master account in the organization can apply policies on all member accounts. These policies can restrict what users and even administrators in those accounts can do. The master account can apply policies that prevent accounts from leaving the organization. Ensure that your account administrators are aware of this.

This operation can be called only from the organization's master account.

Response Syntax

{ "Handshake": { "Action": "string", "Arn": "string", "ExpirationTimestamp": number, "Id": "string", "Parties": [ { "Id": "string", "Type": "string" } ], "RequestedTimestamp": number, "Resources": [ { "Resources": [ "HandshakeResource" ], "Type": "string", "Value": "string" } ], "State": "string" } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


A structure that contains details about the handshake created to support this request to enable all features in the organization.

Type: Handshake object


For information about the errors that are common to all actions, see Common Errors.


You don't have permissions to perform the requested operation. The user or role that is making the request must have at least one IAM permissions policy attached that grants the required permissions. For more information, see Access Management in the IAM User Guide.

HTTP Status Code: 400


Your account isn't a member of an organization. To make this request, you must use the credentials of an account that belongs to an organization.

HTTP Status Code: 400


The target of the operation is currently being modified by a different request. Try again later.

HTTP Status Code: 400


The requested operation would violate the constraint identified in the reason code.


Some of the reasons in the following list might not be applicable to this specific API or operation:

  • ACCOUNT_NUMBER_LIMIT_EXCEEDED: You attempted to exceed the limit on the number of accounts in an organization. Note that deleted and closed accounts still count toward your limit.


    If you get this exception immediately after creating the organization, wait one hour and try again. If after an hour it continues to fail with this error, contact AWS Support.

  • ALREADY_IN_AN_ORGANIZATION: The handshake request is invalid because the invited account is already a member of an organization.

  • HANDSHAKE_RATE_LIMIT_EXCEEDED: You attempted to exceed the number of handshakes that you can send in one day.

  • INVITE_DISABLED_DURING_ENABLE_ALL_FEATURES: You can't issue new invitations to join an organization while it's in the process of enabling all features. You can resume inviting accounts after you finalize the process when all accounts have agreed to the change.

  • ORGANIZATION_ALREADY_HAS_ALL_FEATURES: The handshake request is invalid because the organization has already enabled all features.

  • ORGANIZATION_FROM_DIFFERENT_SELLER_OF_RECORD: The request failed because the account is from a different marketplace than the accounts in the organization. For example, accounts with India addresses must be associated with the AISPL marketplace. All accounts in an organization must be from the same marketplace.

  • ORGANIZATION_MEMBERSHIP_CHANGE_RATE_LIMIT_EXCEEDED: You attempted to change the membership of an account too quickly after its previous change.

  • PAYMENT_INSTRUMENT_REQUIRED: You can't complete the operation with an account that doesn't have a payment instrument, such as a credit card, associated with it.

HTTP Status Code: 400


The requested operation failed because you provided invalid values for one or more of the request parameters. This exception includes a reason that contains additional information about the violated limit:


Some of the reasons in the following list might not be applicable to this specific API or operation.

  • IMMUTABLE_POLICY: You specified a policy that is managed by AWS and can't be modified.

  • INPUT_REQUIRED: You must include a value for all required parameters.

  • INVALID_ENUM: You specified an invalid value.

  • INVALID_FULL_NAME_TARGET: You specified a full name that contains invalid characters.

  • INVALID_LIST_MEMBER: You provided a list to a parameter that contains at least one invalid value.

  • INVALID_PAGINATION_TOKEN: Get the value for the NextToken parameter from the response to a previous call of the operation.

  • INVALID_PARTY_TYPE_TARGET: You specified the wrong type of entity (account, organization, or email) as a party.

  • INVALID_PATTERN: You provided a value that doesn't match the required pattern.

  • INVALID_PATTERN_TARGET_ID: You specified a policy target ID that doesn't match the required pattern.

  • INVALID_ROLE_NAME: You provided a role name that isn't valid. A role name can't begin with the reserved prefix AWSServiceRoleFor.

  • INVALID_SYNTAX_ORGANIZATION_ARN: You specified an invalid Amazon Resource Name (ARN) for the organization.

  • INVALID_SYNTAX_POLICY_ID: You specified an invalid policy ID.

  • INVALID_SYSTEM_TAGS_PARAMETER: You specified a tag key that is a system tag. You can’t add, edit, or delete system tag keys because they're reserved for AWS use. System tags don’t count against your tags per resource limit.

  • MAX_FILTER_LIMIT_EXCEEDED: You can specify only one filter parameter for the operation.

  • MAX_LENGTH_EXCEEDED: You provided a string parameter that is longer than allowed.

  • MAX_VALUE_EXCEEDED: You provided a numeric parameter that has a larger value than allowed.

  • MIN_LENGTH_EXCEEDED: You provided a string parameter that is shorter than allowed.

  • MIN_VALUE_EXCEEDED: You provided a numeric parameter that has a smaller value than allowed.

  • MOVING_ACCOUNT_BETWEEN_DIFFERENT_ROOTS: You can move an account only between entities in the same root.

HTTP Status Code: 400


AWS Organizations can't complete your request because of an internal service error. Try again later.

HTTP Status Code: 400


You have sent too many requests in too short a period of time. The quota helps protect against denial-of-service attacks. Try again later.

For information about quotas that affect AWS Organizations, see Quotas for AWS Organizationsin the AWS Organizations User Guide.

HTTP Status Code: 400


This example shows the administrator asking all the invited accounts in the organization to approve enabled all features in the organization. AWS Organizations sends an email to the address that is registered with every invited member account. The email asks the owner to approve the change to all features by accepting the handshake that is sent. After all invited member accounts accept the handshake, the organization administrator can finalize the change to all features. After that, those with appropriate permissions can create policies and apply them to roots, organizational units (OUs), and accounts.


Sample Request

POST / HTTP/1.1 Host: organizations.us-east-1.amazonaws.com Accept-Encoding: identity Content-Length: 103 X-Amz-Target: AWSOrganizationsV20161128.EnableAllFeatures X-Amz-Date: 20160801T180353Z User-Agent: aws-cli/1.10.18 Python/2.7.8 Linux/2.6.18-164.el5 botocore/1.4.9 Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20160801/us-east-1/organizations/aws4_request, SignedHeaders=content-type;host;user-agent;x-amz-date;x-amz-target, Signature=EXAMPLESIGabcdef1234567890abcdef1234567890abcdef123456EXAMPLESIG {}


Sample Response

HTTP/1.1 200 OK x-amzn-RequestId: EXAMPLE8-90ab-cdef-fedc-ba987EXAMPLE Content-Type: application/x-amz-json-1.1 Content-Length: 0 Date: Mon, 08 Aug 2016 21:51:56 GMT { "Handshake": { "Action": "ENABLE_ALL_FEATURES", "Arn":"arn:aws:organizations::111111111111:handshake/o-exampleorgid/enable_all_features/h-examplehandshakeid111", "ExpirationTimestamp":1.483127868609E9, "Id":"h-examplehandshakeid111", "Parties": [ { "id":"o-exampleorgid", "type":"ORGANIZATION" } ], "requestedTimestamp":1.481831868609E9, "resources": [ { "type":"ORGANIZATION", "value":"o-exampleorgid" } ], "state":"REQUESTED" } }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: