With Amazon Macie, you are charged based on the number of Amazon S3 buckets evaluated for bucket-level security and access controls and the quantity of data processed for sensitive data discovery.
Number of Amazon S3 buckets continually evaluated for security and access controls – When you enable Macie, the service will gather detail on all of your S3 buckets, including bucket names, size, object count, resource tags, encryption status, access controls, and region placement. Macie will then automatically and continually evaluate all of your buckets for security and access control, alerting you to any unencrypted buckets, publicly accessible buckets, or buckets shared with an AWS account outside of your organization. You are charged based on the total number of buckets in your account after the 30-day free trial and charges are pro-rated per day.
Quantity of data processed for sensitive data discovery – After enabling the service, you are able to configure and submit buckets for sensitive data discovery. This is done by selecting the buckets you would like scanned, configuring a one-time or periodic sensitive data discovery job, and submitting it to Macie. Macie only charges for the bytes processed in supported object types it inspects. As part of Macie sensitive data discovery jobs, you will also incur the standard Amazon S3 charges for GET and LIST requests. See “Requests and data retrievals” pricing on the Amazon S3 pricing page.
Free tier | Sensitive data discovery
For sensitive data discovery jobs, the first 1 GB processed every month in each account comes at no cost. For each GB processed beyond the first 1 GB, charges will occur as defined in the pricing table below.
30-day free trial for S3 bucket-level evaluation of security and access controls
You can quickly get started with Macie leveraging the 30-day free trial. By enabling the service, only the S3 bucket inventory and bucket-level evaluation charges apply and those come at no-cost for the first 30 days. After the first 30 days, the bucket evaluation charges will occur as defined in the pricing table below. Each new account that is enabled with Macie receives this free trial period, even in multi-account configurations.
Pricing examples (US East (Northern Virginia) Region prices)
Q: How do I estimate the cost of initial enablement of Macie in my account?
A: You can enable the service and take advantage of the 30-day free trial. During that period, you are presented with a usage tab in the Macie console that will estimate your spend for S3 bucket-level inventory and evaluation for security and access controls before transitioning to paid usage.
Q: How do I know how much I’m spending on Macie sensitive data discovery each month?
A: As you configure and submit sensitive data discovery jobs, you are able to visit the usage tab in the Macie console to view month-to-date spend based on actual usage in your account. This gives you visibility into your spend as you configure sensitive data discovery jobs across your buckets.
Q: How do I monitor spend when configured in multi-account?
A: If deployed in a multi-account configuration, usage is rolled up to the Macie master account to provide total usage for all accounts and a breakout of usage by individual account. This allows you to review and monitor Macie spend across your entire organization.
Q: What service quotas are in place to control usage and spend?
A: Macie comes with a default service quota for sensitive data discovery of 5 TB per account that you can raise up to 25 TB in the AWS Management Console (see Quotas for Amazon Macie). You can further increase you service quota beyond 25 TB through AWS Support. These service quotas cap the total spend in an account and allow you to manage spend across accounts. If a service quota is reached, your sensitive data discovery jobs are paused to ensure no further charges are incurred and you are notified in the Macie console and the AWS Personal Health Dashboard. You can then increase your service quota or allow them to automatically reset in the next calendar month, where the jobs will automatically resume. There are no service quotas for S3 bucket inventory and bucket-level evaluation.
Q: How do I estimate the actual spend for a sensitive data discovery job on a bucket?
A: Macie provides an inventory of all your buckets including what S3 has listed as the estimated storage size, object count, and the presence of any compressed objects. This can be used to estimate the cost of running sensitive data discovery on a bucket or buckets, however, actual data processed could vary. For any unsupported object types in the bucket, Macie will skip those objects and you will not be charged for them. For any compressed objects, they will be decompressed and inspected, which could result in data processed above the reported compressed size.
Q: How do I estimate spend for continual sensitive data discovery?
A: You can configure your sensitive data discovery jobs to be periodic, where Macie will evaluate all existing data in a bucket and automatically inspect only new objects placed in the bucket over time. To estimate the cost of a periodic job, Macie will display the estimated size of the bucket at the time of submission, which can be used to calculate the initial cost to inspect the bucket. You can then estimate the growth of data in the bucket to calculate the cost to inspect new objects placed in the bucket over time. You can use the usage tab in the Macie console to monitor month-to-date spend across all jobs and service quotas to cap spend in an account.
Q: Does Macie support sampling as an option to further reduce cost?
A: Yes, you can configure a sensitive data discovery job to sample objects in a bucket by choosing a sample depth percentage. Macie will then pick up a random set of objects within a bucket based on the sample depth percentage you define. Each supported object within that sample set will be fully inspected and findings will be generated for any sensitive data found. This can be used to get an indication of any sensitive data present within a bucket at a lower cost than inspecting all objects within the bucket.