With Amazon Macie, you are charged based on the number of Amazon S3 buckets evaluated for bucket-level security and access controls and the quantity of data processed for sensitive data discovery.
Number of Amazon S3 buckets continually evaluated for security and access controls – When you enable Macie, the service will gather detail on all of your S3 buckets, including bucket names, size, object count, resource tags, encryption status, access controls, and region placement. Macie will then automatically and continually evaluate all of your buckets for security and access control, alerting you to any unencrypted buckets, publicly accessible buckets, or buckets shared with an AWS account outside of your organization. You are charged based on the total number of buckets in your account after the 30-day free trial and charges are pro-rated per day.
Quantity of data processed for sensitive data discovery – After enabling the service, you are able to configure and submit buckets for sensitive data discovery. This is done by selecting the buckets you would like scanned, configuring a one-time or periodic sensitive data discovery job, and submitting it to Macie. Macie only charges for the bytes processed in supported object types it inspects. As part of Macie sensitive data discovery jobs, you will also incur the standard Amazon S3 charges for GET and LIST requests. See “Requests and data retrievals” pricing on the Amazon S3 pricing page.
Free tier | Sensitive data discovery
For sensitive data discovery jobs, the first 1 GB processed every month in each account comes at no cost. For each GB processed beyond the first 1 GB, charges will occur as defined in the pricing table below.
30-day free trial for S3 bucket-level evaluation of security and access controls
You can quickly get started with Macie leveraging the 30-day free trial. By enabling the service, only the S3 bucket inventory and bucket-level evaluation charges apply and those come at no-cost for the first 30 days. After the first 30 days, the bucket evaluation charges will occur as defined in the pricing table below. Each new account that is enabled with Macie receives this free trial period, even in multi-account configurations.
Pricing details
Pricing examples (US East (Northern Virginia) Region prices)
In this example, you enable Macie in an account with 15 Amazon S3 buckets and you don’t submit any sensitive data discovery jobs.
• 15 Amazon S3 buckets
• 0 GB of data processed for sensitive data discovery
Macie charges =
15 * $0.10 ($0.10 per S3 bucket/month)
= $1.50 + $0.00
= $1.50 per month
In this example, you enable Macie in an account with 15 Amazon S3 buckets and you submit a sensitive data discovery job across buckets that result in 1 GB of data processed per month.
• 15 Amazon S3 buckets
• 1 GB of data processed for sensitive data discovery
Macie charges =
15 * $0.10 ($0.10 per S3 bucket/month)
+ 1 * $0.00 (first 1 GB/month)
= $1.50 + $0.00
= $1.50 per month
In this example, you enable Macie in an account with 15 Amazon S3 buckets and you submit a sensitive data discovery job for a bucket that has 1,000,000 objects in S3 standard storage resulting in 100 GB of data processed.
• 15 Amazon S3 buckets
• 100 GB of data processed for sensitive data discovery
• 1,000,000 objects, all supported object types
Macie charges =
15 * $0.10 ($0.10 per S3 bucket/month)
+ 1 * $0.00 (first 1 GB/month)
+ 99 * $1.00 (next 50,000 GB/month)
= $1.50 + $0.00 + $99.00
= $100.50 Macie charge
S3 charges =
$0.005 (1,000 S3 LIST requests returning 1,000 objects each at $0.005 per 1,000 calls)
+ $0.0004 * 1000 (1,000,000 objects at $0.0004 per 1,000 S3 GET requests)
= $0.005 + $0.4
= $0.405 S3 charge
In this example, you enable Macie in an account with 15 Amazon S3 buckets and submit a sensitive data discovery job for a bucket that has 1,000,000 objects and is reported to have 600 GB of estimated storage. However, 100,000 of the objects are image files representing 100 GB and therefore, ignored by Macie for sensitive data discovery (see Macie supported object types). All other objects are supported resulting in 500 GB of initial data processed.
You also configure the job as a periodic job to pick up any new supported objects placed in the bucket each day and evaluate those as well for which there is an additional 100,000 objects placed in the bucket that are of a supported object type representing 10 GB of data processed each month thereafter.
• 15 Amazon S3 buckets
• 900,000 objects, all supported object types
• 500 GB of initial data processed for sensitive data discovery
• 100,000 new objects placed in the bucket each month, all supported object types
• 10 GB of additional data processed for sensitive data discovery each month
Macie charges =
15 * $0.10 ($0.10 per S3 bucket/month)
+ 1 * $0.00 (first 1 GB/month)
+ 499 * $1.00 (next 50,000 GB/month)
= $1.50 + $0.00 + $499.00
= $500.50 for first month
S3 charges =
$0.005 (1,000 S3 LIST requests returning 1,000 objects each at $0.005 per 1,000 calls)
+ $0.0004 * 900 (900,000 objects at $0.0004 per 1,000 S3 GET requests)
= $0.005 + $0.36
= $0.365 S3 charge for first month
Macie ongoing monthly charges =
15 * $0.10 ($0.10 per S3 bucket / month)
+ 1 * $0.00 (first 1 GB/month)
+ 9 * $1.00 (next 50,000 GB/ month)
= $1.50 + $0.00 + $9.00
= $10.50 per month (each month thereafter)
S3 ongoing monthly charges =
$0.005 / 10 (1,000 S3 LIST requests returning 1,000 objects each at $0.005 per 1,000 calls)
+ $0.0004 * 100 (100,000 objects at $0.0004 per 1,000 S3 GET requests)
= $0.0005 + $0.04
= $0.0405 S3 charge per month (each month thereafter)
Pricing FAQs
Q: How do I estimate the cost of initial enablement of Macie in my account?
A: You can enable the service and take advantage of the 30-day free trial. During that period, you are presented with a usage tab in the Macie console that will estimate your spend for S3 bucket-level inventory and evaluation for security and access controls before transitioning to paid usage.
Q: How do I know how much I’m spending on Macie sensitive data discovery each month?
A: As you configure and submit sensitive data discovery jobs, you are able to visit the usage tab in the Macie console to view month-to-date spend based on actual usage in your account. This gives you visibility into your spend as you configure sensitive data discovery jobs across your buckets.
Q: How do I monitor spend when configured in multi-account?
A: If deployed in a multi-account configuration, usage is rolled up to the Macie master account to provide total usage for all accounts and a breakout of usage by individual account. This allows you to review and monitor Macie spend across your entire organization.
Q: What service quotas are in place to control usage and spend?
A: Macie comes with a default service quota for sensitive data discovery of 5 TB per account that you can raise up to 25 TB in the AWS Management Console (see Quotas for Amazon Macie). You can further increase you service quota beyond 25 TB through AWS Support. These service quotas cap the total spend in an account and allow you to manage spend across accounts. If a service quota is reached, your sensitive data discovery jobs are paused to ensure no further charges are incurred and you are notified in the Macie console and the AWS Personal Health Dashboard. You can then increase your service quota or allow them to automatically reset in the next calendar month, where the jobs will automatically resume. There are no service quotas for S3 bucket inventory and bucket-level evaluation.
Q: How do I estimate the actual spend for a sensitive data discovery job on a bucket?
A: Macie provides an inventory of all your buckets including what S3 has listed as the estimated storage size, object count, and the presence of any compressed objects. This can be used to estimate the cost of running sensitive data discovery on a bucket or buckets, however, actual data processed could vary. For any unsupported object types in the bucket, Macie will skip those objects and you will not be charged for them. For any compressed objects, they will be decompressed and inspected, which could result in data processed above the reported compressed size.
Q: How do I estimate spend for continual sensitive data discovery?
A: You can configure your sensitive data discovery jobs to be periodic, where Macie will evaluate all existing data in a bucket and automatically inspect only new objects placed in the bucket over time. To estimate the cost of a periodic job, Macie will display the estimated size of the bucket at the time of submission, which can be used to calculate the initial cost to inspect the bucket. You can then estimate the growth of data in the bucket to calculate the cost to inspect new objects placed in the bucket over time. You can use the usage tab in the Macie console to monitor month-to-date spend across all jobs and service quotas to cap spend in an account.
Q: Does Macie support sampling as an option to further reduce cost?
A: Yes, you can configure a sensitive data discovery job to sample objects in a bucket by choosing a sample depth percentage. Macie will then pick up a random set of objects within a bucket based on the sample depth percentage you define. Each supported object within that sample set will be fully inspected and findings will be generated for any sensitive data found. This can be used to get an indication of any sensitive data present within a bucket at a lower cost than inspecting all objects within the bucket.
Learn more about Amazon Macie capabilities and implementation by reading the documentation.
