Amazon Macie discovers sensitive data using machine learning and pattern matching, and enables visibility and automated protection against data security risks. With Macie, you are charged based on three dimensions: the number of Amazon Simple Storage Service (S3) buckets evaluated for bucket inventory and monitoring, the number of Amazon S3 objects monitored for automated data discovery, and the quantity of data inspected for automated and targeted sensitive data discovery.
Number of S3 buckets continually evaluated for bucket inventory and monitoring
When you enable Macie, the service will gather detail on all of your S3 buckets, including bucket names, size, object count, resource tags, encryption status, access controls, and Region placement. Macie will then automatically and continually evaluate all of your buckets for security and access controls. Macie will alert you to any unencrypted buckets, publicly accessible buckets, or buckets shared with an AWS account outside of your organization. You are charged based on the total number of buckets in your account after the 30-day free trial and charges are prorated per day.
Quantity of data inspected for automated and targeted data discovery
Macie automatically starts inspecting objects in S3 for the presence of sensitive data such as personally identifiable information (PII), payment data, or AWS credentials for automated sensitive data discovery. You are charged based on the total quantity of data inspected in your account after the 30-day free trial and charges are prorated per day. Also, you can discover sensitive data by creating and running targeted sensitive data discovery jobs. This is done by selecting the buckets you would like scanned, configuring the one-time or periodic targeted sensitive data discovery job, and submitting it to Macie. Macie charges for only the bytes inspected in the supported object types it inspects. As part of Macie sensitive data discovery jobs, you will also incur the standard S3 charges for GET and LIST requests. See Requests and data retrievals pricing on the S3 pricing page.
Number of objects monitored for automated data discovery
Amazon Macie monitors all S3 objects in your account for automated data discovery. The objects are clustered by attributes such as bucket name, file types, and prefixes to cost-efficiently sample data broadly across an organization and minimize the data scanning needed to uncover sensitive data in Amazon S3 buckets. Macie uses the results of automated data discovery analysis results to create a profile for each bucket, and then tracks the objects that were picked to ensure freshness of this profile. If a previously scanned object is deleted, Macie automatically updates the profile of the bucket. You are charged based on the total quantity of S3 objects in your account after the 30-day free trial and charges are pro-rated per day.
Free 30-day trial period
You can try Amazon Macie at no charge with a 30-day free trial. You get 30-days of free automated data discovery which includes the data inspected for sensitive data discovery and the objects monitored in your S3 storage. Macie inspects up to 150GB per account within the free trial period. The free-trial also includes 30-days of bucket inventory and monitoring. Each new account that is enabled with Macie receives this free trial period, even in multi-account configurations.
Pricing examples (US East (Northern Virginia) Region prices)
Q: How do I estimate the cost of the initial enablement of Macie on my account?
A: You can enable the service and take advantage of the 30-day free trial. During that period, you can access a usage tab in the Macie console that will estimate your usage for S3 bucket-level inventory and an evaluation for security and access controls. The console will also estimate your automated data discovery, which includes the data inspected for sensitive data discovery and the objects monitored in your S3 storage, before transitioning to paid usage.
Q: How does automated data discovery lower my spend for discovering sensitive data?
A: Macie uses various techniques including resource clustering by attributes such as bucket name, file types, and prefixes to cost-efficiently sample data broadly across an organization and minimize the data scanning needed to uncover sensitive data in S3 buckets. You can use automated data discovery to identify where your sensitive data resides in S3 and continually evaluate how well it is being protected without manually configuring and running targeted data discovery jobs.
Q: How do I know how much I’m spending on Macie targeted sensitive data discovery each month?
A: As you configure and submit targeted sensitive data discovery jobs, you can visit the usage tab in the Macie console to view month-to-date spend based on actual usage in your account. This provides visibility into your spend as you configure targeted sensitive data discovery jobs across your buckets.
Q: How do I monitor spend in multi-account configuration?
A: If deployed in a multi-account configuration, usage is rolled up to the Macie master account to provide total usage for all accounts and a breakdown of usage by individual account. This helps you review and monitor Macie spend across your entire organization.
Q: What service quotas are in place to control usage and spend?
A: Macie comes with a default service quota of 5 TB per account for targeted sensitive data discovery. You can further increase your service quota (see Quotas for Amazon Macie) beyond 25 TB through AWS Support. These service quotas cap the total spend in an account and help you manage your spend across accounts. If a service quota is reached, your targeted sensitive data discovery jobs are paused to verify no further charges are incurred. You are then notified in the Macie console and the AWS Personal Health Dashboard. You can then increase your service quota or allow them to automatically reset in the next calendar month, where the jobs will automatically resume. There are no service quotas for S3 bucket inventory evaluation.
Q: How do I estimate the actual spend for a targeted sensitive data discovery job on a bucket?
A: Macie provides an inventory of all your buckets including what S3 has listed as the estimated storage size, object count, and the presence of any compressed objects. This can be used to estimate the cost of running targeted sensitive data discovery on a bucket or buckets; however, actual data processed could vary. For any unsupported object types in the bucket, Macie will skip those objects and you will not be charged for them. For any compressed objects, they will be decompressed and inspected, which could result in data processed above the reported compressed size.
For targeted sensitive data discovery jobs that run periodically, Macie will evaluate all existing data in a bucket and automatically inspect only new objects placed in the bucket over time. To estimate the cost of a periodic targeted discovery job, Macie will display the estimated size of the bucket at the time of submission, which can be used to calculate the initial cost to inspect the bucket. You can then estimate the growth of data in the bucket to calculate the cost to inspect new objects placed in the bucket over time. You can use the usage tab in the Macie console to monitor month-to-date spend across all jobs and service quotas to cap spend in an account.