---
title: Amazon Macie Pricing: Why Scanning a 500 GB Bucket Can Cost $500
description: Macie bills two ways: bucket-level evaluation at $0.10 per bucket per month, and sensitive-data discovery at $1.00 per GB inspected. A 500 GB bucket scanned for PII costs $500 just for the discovery; multi-bucket organizations easily hit $10K+ per month. Automated discovery is cheaper than full jobs but compounds across the bucket footprint.
url: https://www.factualminds.com/blog/amazon-macie-pricing-bucket-evaluations-sensitive-data/
datePublished: 2026-06-13T00:00:00.000Z
dateModified: 2026-06-13T00:00:00.000Z
author: palaniappan-p
category: Cost Optimization & FinOps
tags: amazon-macie, macie-pricing, aws-pricing, cost-optimization, finops, security
---

# Amazon Macie Pricing: Why Scanning a 500 GB Bucket Can Cost $500

> Macie bills two ways: bucket-level evaluation at $0.10 per bucket per month, and sensitive-data discovery at $1.00 per GB inspected. A 500 GB bucket scanned for PII costs $500 just for the discovery; multi-bucket organizations easily hit $10K+ per month. Automated discovery is cheaper than full jobs but compounds across the bucket footprint.

import PricingHeroStats from '~/components/blog/PricingHeroStats.astro';
import PricingDimensionTable from '~/components/blog/PricingDimensionTable.astro';
import BillSurpriseCallout from '~/components/blog/BillSurpriseCallout.astro';
import PricingDecisionCard from '~/components/blog/PricingDecisionCard.astro';

Amazon Macie is the AWS sensitive-data classification service for S3 — it inspects object content, identifies PII, PHI, credentials, and custom-defined patterns, and produces findings that drive compliance reporting and breach detection. The bill structure has two distinct dimensions: a flat per-bucket evaluation charge that scales with bucket count, and a per-GB discovery charge that scales with the actual data inspected. The discovery line is where most Macie bills land surprisingly high — $1 per GB inspected adds up fast on a multi-TB sensitive-data inventory.

<PricingHeroStats
  stats={[
    { value: '$0.10', label: 'Per bucket / month', note: 'Inventory + Level 1 controls per bucket' },
    { value: '$1.00', label: 'Per GB inspected', note: 'Sensitive-data discovery; 50 GB free per account' },
    { value: 'Continuous', label: 'Automated discovery', note: 'Sampled subset; broad coverage cheap' },
    { value: 'Full', label: 'Discovery jobs', note: 'Every object scanned; expensive but complete' },
  ]}
  caption="us-east-1 list prices, June 2026. Verify against the AWS Macie pricing page for your region."
/>

This post is the bill story. For the operational architecture — finding triage, custom data identifiers, integration with Security Hub — see our [Macie investigation guide](/blog/aws-macie-detective-data-security-investigation/). For the S3 security context, [S3 security best practices](/blog/aws-s3-security-best-practices-preventing-data-exposure/) covers the protective controls that Macie complements.

## The Two Macie Billing Dimensions

<PricingDimensionTable
  title="Macie pricing breakdown — us-east-1, June 2026"
  intro="Two main dimensions. The per-bucket line is flat; the per-GB discovery line is the variable that drives most bills."
  region="us-east-1"
  dimensions={[
    {
      name: 'Bucket-level evaluation',
      unitPrice: '$0.10 / bucket / month',
      example: '500 buckets across accounts',
      monthly: '$50',
      note: 'Inventory + policy + encryption checks',
    },
    {
      name: 'Sensitive-data discovery — full',
      unitPrice: '$1.00 / GB inspected (tiered)',
      example: '500 GB bucket scanned',
      monthly: '$500 (first scan)',
      note: '50 GB free per account per month',
      highlight: true,
    },
    {
      name: 'Sensitive-data discovery — automated',
      unitPrice: '$1.00 / GB sampled',
      example: '5% sample of 10 TB',
      monthly: '~$500',
      note: 'Configurable sampling rate',
      highlight: true,
    },
    {
      name: 'Custom data identifier evaluation',
      unitPrice: 'Included in per-GB rate',
      example: 'Custom regex on PII',
      monthly: '$0 extra',
      note: 'No per-identifier surcharge',
    },
    {
      name: 'Findings publication',
      unitPrice: 'Free to EventBridge / Security Hub',
      example: 'Standard integrations',
      monthly: '$0',
      note: 'Downstream services bill separately',
    },
    {
      name: 'Multi-account organization administration',
      unitPrice: 'Per-account billing',
      example: 'Org with 100 accounts',
      monthly: 'Scales linearly',
      note: 'No org-level discount on usage',
      highlight: true,
    },
  ]}
  footnote="The 50 GB free tier is per-account per-month — modest relief for small accounts, irrelevant at organization scale."
/>

## Why a 500 GB Bucket Costs $500 to Scan

The math is direct: 500 GB × $1/GB = $500 for one full discovery scan. If that scan runs monthly, the bill is $500/month per bucket — for a single 500 GB bucket. Across an organization with 50 buckets of similar size all under quarterly compliance scan, the discovery line lands at ~$8,000/month.

The cost driver is the actual data volume scanned, not the object count. A bucket with 1 million 1 KB files (1 GB total) costs $1 to scan; a bucket with 100 objects of 5 GB each (500 GB total) costs $500. The per-object overhead is minimal; the per-byte content-inspection cost dominates.

<BillSurpriseCallout
  variant="surprise"
  title="Quarterly full-scan jobs on every bucket in the inventory"
  amount="$5K–$50K / month per organization"
>
  Many compliance programs default to "scan all buckets quarterly." On a multi-TB bucket inventory, this lands at
  five-figure monthly Macie bills. Scope quarterly scans to compliance-tracked buckets only — buckets holding regulated
  data (PHI, PII, payment data) — and use automated discovery for broader visibility on the rest of the inventory.
</BillSurpriseCallout>

## Automated Discovery: The Cheaper Broad-Coverage Path

Automated sensitive data discovery samples a configurable subset of objects per bucket continuously. The default sampling rate balances cost and coverage; you can tune it per-bucket if specific buckets need higher confidence.

The economics compared to full jobs:

<PricingDimensionTable
  title="Automated discovery vs full job — 10 TB bucket inventory"
  intro="Same data, two scan strategies. Automated discovery covers all buckets at sampled depth; full jobs scan everything but cost the full data volume."
  region="us-east-1"
  dimensions={[
    {
      name: 'Full scan, monthly',
      unitPrice: '$1/GB × 10 TB',
      example: 'Complete object-level coverage',
      monthly: '$10,000/mo',
      note: 'Compliance-grade coverage',
    },
    {
      name: 'Automated discovery, 5% sample',
      unitPrice: '$1/GB × 500 GB',
      example: 'Broad bucket-level signal',
      monthly: '$500/mo',
      note: '95% cheaper; finds which buckets have sensitive data',
      highlight: true,
    },
    {
      name: 'Layered: automated + targeted full scans',
      unitPrice: 'Mixed',
      example: '20% of inventory flagged → full scan',
      monthly: '~$2,500/mo',
      note: 'Best balance of cost and coverage',
      highlight: true,
    },
    {
      name: 'Quarterly full scan only on flagged buckets',
      unitPrice: 'Per-quarter cost',
      example: 'Compliance reporting',
      monthly: 'Bursty, scopeable',
      note: 'Schedule for budget control',
    },
  ]}
  footnote="The layered approach — automated on everything, full scans on flagged subsets — is the right pattern for most compliance programs."
/>

## Custom Data Identifiers: Free at the Per-GB Rate

Custom data identifiers (regex patterns + keyword proximity rules + character distribution checks for your organization-specific data shapes — internal IDs, account number formats, proprietary classifications) are included in the standard per-GB discovery rate. There is no per-identifier surcharge.

This makes Macie cost-effective for organizations with unusual data-classification requirements. Build custom identifiers for your specific patterns; the discovery cost remains the same as the built-in identifiers.

The waste pattern: not using custom identifiers and instead running ad-hoc S3 queries via Athena to find specific patterns. Athena scans all data anyway and provides less structured findings; Macie's per-GB rate covers the same scanning with managed pattern matching plus the integration with Security Hub and EventBridge.

## Multi-Region: The Hidden Multiplier

Macie is enabled per region. Data replicated across regions (via S3 Cross-Region Replication or by application-level replication) means the same bytes get scanned multiple times if Macie runs in each region.

The mitigation: scope Macie to the source region. Replicated buckets in secondary regions can rely on the source-region scan results for compliance reporting — CRR guarantees byte-identical replication. Configure Macie organization-wide with explicit per-region enablement that matches your data-residency posture; don't enable globally by default.

<BillSurpriseCallout
  variant="trap"
  title="Macie enabled in every region 'in case data lands there'"
  amount="2–5× the necessary spend"
>
  Enable Macie in regions where sensitive data is actually stored or could land. For DR-standby regions with replicated
  data, the source-region scan results are equivalent (CRR is byte-identical). For regions that host only build
  artifacts, container images, or logs, Macie discovery has little to find. Audit the regional enablement quarterly.
</BillSurpriseCallout>

## Bucket-Level Evaluation: The Per-Bucket Compounding

The $0.10/bucket/month evaluation charge covers bucket-policy review, encryption status, public access checks, and replication configuration. It is small per bucket but compounds at scale: a multi-account organization with 1,000 buckets pays $100/month for evaluation alone.

The line is non-negotiable when Macie is enabled (it is the base "Macie is on" charge). The mitigation is bucket consolidation rather than individual bucket cleanup — fewer buckets, lower evaluation bill. For organizations with bucket sprawl (one bucket per microservice per environment per region), the consolidated-bucket model with prefixes for tenancy reduces the evaluation line proportionally.

## When to Use Macie vs Alternatives

<PricingDecisionCard
  headline="Macie for managed sensitive-data classification on S3; custom Lambda+Comprehend pipeline only for unusual requirements."
  useWhen={[
    'Compliance-driven sensitive-data inventory across multi-bucket S3 deployments',
    'Buckets receiving user-uploaded content where PII detection drives data handling decisions',
    'Organizations needing managed PII / PHI classification with built-in identifiers (GDPR, HIPAA, PCI compliance)',
    'Custom data identifiers for organization-specific patterns — included in the per-GB rate',
    'Layered scanning: automated discovery on all buckets, full jobs on flagged subsets',
  ]}
  avoidWhen={[
    'Quarterly full scans on every bucket in inventory — pure waste compared to layered approach',
    'Macie enabled in regions where sensitive data does not actually land',
    'Macie on buckets containing only build artifacts, container images, or non-sensitive logs',
    'Replicated data scanned in both source and destination regions — scan source only',
    'DIY S3+Lambda+Comprehend pipelines at any scale where Macie covers the use case — operational cost dwarfs Macie',
  ]}
  footnote="The compliance and operational value of managed classification almost always exceeds the bill. The optimization is in scope, not in choosing alternatives."
/>

## A 30-Day Macie Bill Cleanup Plan

**Week 1 — Job scope audit.** Identify scheduled discovery jobs. For each job with broad bucket scope, narrow to compliance-tracked buckets only. Use automated discovery for broader visibility on non-compliance buckets.

**Week 2 — Regional enablement.** Map Macie regional enablement to actual sensitive-data residency. Disable Macie in regions where sensitive data does not land (build artifact regions, log-only regions).

**Week 3 — Automated discovery tuning.** Review automated discovery sampling rates per bucket. Increase sampling on buckets that have generated findings; decrease on buckets consistently clean.

**Week 4 — Custom identifier review.** Validate that custom data identifiers cover the organization-specific patterns. Add identifiers for internal classifications previously discovered via ad-hoc Athena queries.

## What This Post Doesn't Cover

- **Finding triage workflows** — covered in our [Macie investigation guide](/blog/aws-macie-detective-data-security-investigation/).
- **Detective integration for investigation** — Detective bills independently; covered in our security operations content.
- **Comparison with third-party DLP tools** (Symantec, McAfee MVISION) — different operational model, different pricing structure.
- **DataZone classification overlap** — DataZone provides a different classification layer for data lineage; covered separately.

## If You Only Do One Thing This Week

Switch from monthly full-scan jobs to automated discovery on most buckets, with scheduled full scans only on buckets that have actually generated findings in the past quarter. Run `aws macie2 list-classification-jobs` to find currently-scheduled jobs; for each, check the bucket scope and the schedule. Replace broad-scope monthly jobs with automated discovery (toggle in the Macie console under Settings → Sensitive data discovery → Automated). The change typically cuts the discovery line by 70–90% with no loss of compliance coverage.

For the operational triage of Macie findings, the [Macie investigation guide](/blog/aws-macie-detective-data-security-investigation/) covers the design side.

## FAQ

### Why is Macie sensitive-data discovery $1 per GB?
The $1/GB rate reflects what Macie actually does: extract text from every object, parse the content, run pattern matching against built-in and custom data identifiers (PII, PHI, credentials, custom regexes), and store the findings. The compute cost of doing this at scale across S3 is substantial — Macie is essentially running a managed text-extraction-and-pattern-matching pipeline. The premium over raw S3 operations reflects the parsing and ML-based classification work. The first 50 GB per account per month is free; everything above that bills at $1/GB tiered down at very high volumes.

### How does automated discovery differ from full discovery jobs?
Automated sensitive data discovery samples a small subset of objects per bucket continuously (default sampling rate, configurable). It is cheaper than running a full job that scans every object but provides less coverage — automated discovery identifies which buckets have sensitive data without quantifying every match. Full discovery jobs scan every object in scope and provide complete inventory but cost the full per-GB rate. The right combination: automated discovery on all buckets for broad coverage, scheduled full jobs on the buckets that automated discovery flagged as containing sensitive data.

### When does Macie actually pay off compared to building custom S3 scanning?
Macie pays off when the alternative is a custom S3-Lambda pipeline that reads each object, runs Comprehend or a custom NLP model, and writes findings. The cost of that pipeline (Lambda invocations + Comprehend API calls + storage) usually exceeds Macie at any meaningful object count. Macie also handles the operational layer (finding deduplication, severity scoring, automatic suppressions on noisy patterns) that the DIY alternative would require building. For compliance-driven sensitive-data inventory, Macie is almost always the right choice; the bill is the price of not running it yourself.

### Does enabling Macie on every account in my organization multiply the cost?
Yes. Macie is a regional service enabled per account per region. Organization-wide enablement via the Macie organization admin pattern auto-enables Macie on every account-region. The bucket evaluation line ($0.10 per bucket per month) and the discovery line ($1/GB per scanned data) bill per account independently. The first 50 GB free tier is per-account, which provides modest relief for small accounts. The mitigation: enable Macie organization-wide as the security posture requires, but scope discovery jobs aggressively per account to keep the bill bounded.

### How do I scope Macie discovery jobs without missing sensitive data?
Use a layered approach. First, automated discovery on all buckets (cheap, broad). When automated discovery flags a bucket as containing sensitive data, schedule a full job on that specific bucket. For data-classification compliance, run quarterly full-scan jobs on buckets in scope of the compliance program (PII storage, customer data, financial records); never run full scans across the entire bucket inventory monthly. Use object-key prefixes in job scope to exclude obviously non-sensitive prefixes (e.g., `logs/`, `temp/`, `static-assets/`).

### Why is my Macie bill higher in certain regions?
Macie pricing is regional but the rates are uniform across most commercial regions. The reason regional bills differ is data location — if your sensitive-data buckets are concentrated in us-east-1, Macie spend concentrates there. Multi-region data replication (S3 Cross-Region Replication) does not avoid the per-region scan cost; if the same data is replicated to three regions and Macie runs in each, the discovery cost is roughly tripled. Scope Macie to the primary region and trust that the replicated data is identical (which is what CRR guarantees).

### What is the relationship between Macie and GuardDuty Malware Protection for S3?
They are complementary, not redundant. Macie classifies objects by content (PII, credit card numbers, healthcare data) and bills per GB inspected for sensitive-data discovery. GuardDuty Malware Protection for S3 scans objects for malware signatures and bills per GB scanned. Buckets receiving user-uploaded content typically need both: Malware Protection on every upload, Macie on the buckets storing structured customer data. Configure them on different bucket subsets where possible to avoid paying both rates on the same bytes.

---

*Source: https://www.factualminds.com/blog/amazon-macie-pricing-bucket-evaluations-sensitive-data/*