Amazon Macie Pricing

Q: How do I estimate the cost of the initial enablement of Macie on my account?

A: You can enable the service and take advantage of the 30-day free trial. During that period, you can access a usage tab in the Macie console that will estimate your usage for S3 bucket-level inventory and an evaluation for security and access controls. The console will also estimate your automated data discovery, which includes the data inspected for sensitive data discovery and the objects monitored in your S3 storage, before transitioning to paid usage.

Q: How does automated data discovery lower my spend for discovering sensitive data?

A: Macie uses various techniques including resource clustering by attributes such as bucket name, file types, and prefixes to cost-efficiently sample data broadly across an organization and minimize the data scanning needed to uncover sensitive data in S3 buckets. You can use automated data discovery to identify where your sensitive data resides in S3 and continually evaluate how well it is being protected without manually configuring and running targeted data discovery jobs.

Q: How do I know how much I’m spending on Macie targeted sensitive data discovery each month?

A: As you configure and submit targeted sensitive data discovery jobs, you can visit the usage tab in the Macie console to view month-to-date spend based on actual usage in your account. This provides visibility into your spend as you configure targeted sensitive data discovery jobs across your buckets.

Q: How do I monitor spend in multi-account configuration?

A: If deployed in a multi-account configuration, usage is rolled up to the Macie master account to provide total usage for all accounts and a breakdown of usage by individual account. This helps you review and monitor Macie spend across your entire organization.

Q: What service quotas are in place to control usage and spend?

A: Macie comes with a default service quota of 5 TB per account for targeted sensitive data discovery. You can further increase your service quota (see Quotas for Amazon Macie) beyond 25 TB through AWS Support. These service quotas cap the total spend in an account and help you manage your spend across accounts. If a service quota is reached, your targeted sensitive data discovery jobs are paused to verify no further charges are incurred. You are then notified in the Macie console and the AWS Personal Health Dashboard. You can then increase your service quota or allow them to automatically reset in the next calendar month, where the jobs will automatically resume. There are no service quotas for S3 bucket inventory evaluation.

Q: How do I estimate the actual spend for a targeted sensitive data discovery job on a bucket?

A: Macie provides an inventory of all your buckets including what S3 has listed as the estimated storage size, object count, and the presence of any compressed objects. This can be used to estimate the cost of running targeted sensitive data discovery on a bucket or buckets; however, actual data processed could vary. For any unsupported object types in the bucket, Macie will skip those objects and you will not be charged for them. For any compressed objects, they will be decompressed and inspected, which could result in data processed above the reported compressed size.
For targeted sensitive data discovery jobs that run periodically, Macie will evaluate all existing data in a bucket and automatically inspect only new objects placed in the bucket over time. To estimate the cost of a periodic targeted discovery job, Macie will display the estimated size of the bucket at the time of submission, which can be used to calculate the initial cost to inspect the bucket. You can then estimate the growth of data in the bucket to calculate the cost to inspect new objects placed in the bucket over time. You can use the usage tab in the Macie console to monitor month-to-date spend across all jobs and service quotas to cap spend in an account.