Why is Macie sensitive-data discovery $1 per GB?

The $1/GB rate reflects what Macie actually does: extract text from every object, parse the content, run pattern matching against built-in and custom data identifiers (PII, PHI, credentials, custom regexes), and store the findings. The compute cost of doing this at scale across S3 is substantial — Macie is essentially running a managed text-extraction-and-pattern-matching pipeline. The premium over raw S3 operations reflects the parsing and ML-based classification work. The first 50 GB per account per month is free; everything above that bills at $1/GB tiered down at very high volumes.

How does automated discovery differ from full discovery jobs?

Automated sensitive data discovery samples a small subset of objects per bucket continuously (default sampling rate, configurable). It is cheaper than running a full job that scans every object but provides less coverage — automated discovery identifies which buckets have sensitive data without quantifying every match. Full discovery jobs scan every object in scope and provide complete inventory but cost the full per-GB rate. The right combination: automated discovery on all buckets for broad coverage, scheduled full jobs on the buckets that automated discovery flagged as containing sensitive data.

When does Macie actually pay off compared to building custom S3 scanning?

Macie pays off when the alternative is a custom S3-Lambda pipeline that reads each object, runs Comprehend or a custom NLP model, and writes findings. The cost of that pipeline (Lambda invocations + Comprehend API calls + storage) usually exceeds Macie at any meaningful object count. Macie also handles the operational layer (finding deduplication, severity scoring, automatic suppressions on noisy patterns) that the DIY alternative would require building. For compliance-driven sensitive-data inventory, Macie is almost always the right choice; the bill is the price of not running it yourself.

Does enabling Macie on every account in my organization multiply the cost?

Yes. Macie is a regional service enabled per account per region. Organization-wide enablement via the Macie organization admin pattern auto-enables Macie on every account-region. The bucket evaluation line ($0.10 per bucket per month) and the discovery line ($1/GB per scanned data) bill per account independently. The first 50 GB free tier is per-account, which provides modest relief for small accounts. The mitigation: enable Macie organization-wide as the security posture requires, but scope discovery jobs aggressively per account to keep the bill bounded.

How do I scope Macie discovery jobs without missing sensitive data?

Use a layered approach. First, automated discovery on all buckets (cheap, broad). When automated discovery flags a bucket as containing sensitive data, schedule a full job on that specific bucket. For data-classification compliance, run quarterly full-scan jobs on buckets in scope of the compliance program (PII storage, customer data, financial records); never run full scans across the entire bucket inventory monthly. Use object-key prefixes in job scope to exclude obviously non-sensitive prefixes (e.g., `logs/`, `temp/`, `static-assets/`).

Why is my Macie bill higher in certain regions?

Macie pricing is regional but the rates are uniform across most commercial regions. The reason regional bills differ is data location — if your sensitive-data buckets are concentrated in us-east-1, Macie spend concentrates there. Multi-region data replication (S3 Cross-Region Replication) does not avoid the per-region scan cost; if the same data is replicated to three regions and Macie runs in each, the discovery cost is roughly tripled. Scope Macie to the primary region and trust that the replicated data is identical (which is what CRR guarantees).

What is the relationship between Macie and GuardDuty Malware Protection for S3?

They are complementary, not redundant. Macie classifies objects by content (PII, credit card numbers, healthcare data) and bills per GB inspected for sensitive-data discovery. GuardDuty Malware Protection for S3 scans objects for malware signatures and bills per GB scanned. Buckets receiving user-uploaded content typically need both: Malware Protection on every upload, Macie on the buckets storing structured customer data. Configure them on different bucket subsets where possible to avoid paying both rates on the same bytes.

Amazon Macie Pricing: Bucket Evals + Sensitive Data Scans

Amazon Macie is the AWS sensitive-data classification service for S3 — it inspects object content, identifies PII, PHI, credentials, and custom-defined patterns, and produces findings that drive compliance reporting and breach detection. The bill structure has two distinct dimensions: a flat per-bucket evaluation charge that scales with bucket count, and a per-GB discovery charge that scales with the actual data inspected. The discovery line is where most Macie bills land surprisingly high — $1 per GB inspected adds up fast on a multi-TB sensitive-data inventory.

This post is the bill story. For the operational architecture — finding triage, custom data identifiers, integration with Security Hub — see our Macie investigation guide. For the S3 security context, S3 security best practices covers the protective controls that Macie complements.

The Two Macie Billing Dimensions

Macie pricing breakdown — us-east-1, June 2026

Prices in us-east-1

Two main dimensions. The per-bucket line is flat; the per-GB discovery line is the variable that drives most bills.

Dimension	Unit price	Example workload	Monthly cost
Bucket-level evaluation Inventory + policy + encryption checks	$0.10 / bucket / month	500 buckets across accounts	$50
Sensitive-data discovery — full 50 GB free per account per month	$1.00 / GB inspected (tiered)	500 GB bucket scanned	$500 (first scan)
Sensitive-data discovery — automated Configurable sampling rate	$1.00 / GB sampled	5% sample of 10 TB	~$500
Custom data identifier evaluation No per-identifier surcharge	Included in per-GB rate	Custom regex on PII	$0 extra
Findings publication Downstream services bill separately	Free to EventBridge / Security Hub	Standard integrations	$0
Multi-account organization administration No org-level discount on usage	Per-account billing	Org with 100 accounts	Scales linearly

Bucket-level evaluation

$50

Inventory + policy + encryption checks

Unit price: $0.10 / bucket / month
Example workload: 500 buckets across accounts

Sensitive-data discovery — full

$500 (first scan)

50 GB free per account per month

Unit price: $1.00 / GB inspected (tiered)
Example workload: 500 GB bucket scanned

Sensitive-data discovery — automated

~$500

Configurable sampling rate

Unit price: $1.00 / GB sampled
Example workload: 5% sample of 10 TB

Custom data identifier evaluation

$0 extra

No per-identifier surcharge

Unit price: Included in per-GB rate
Example workload: Custom regex on PII

Findings publication

Downstream services bill separately

Unit price: Free to EventBridge / Security Hub
Example workload: Standard integrations

Multi-account organization administration

Scales linearly

No org-level discount on usage

Unit price: Per-account billing
Example workload: Org with 100 accounts

The 50 GB free tier is per-account per-month — modest relief for small accounts, irrelevant at organization scale.

Why a 500 GB Bucket Costs $500 to Scan

The math is direct: 500 GB × $1/GB = $500 for one full discovery scan. If that scan runs monthly, the bill is $500/month per bucket — for a single 500 GB bucket. Across an organization with 50 buckets of similar size all under quarterly compliance scan, the discovery line lands at ~$8,000/month.

The cost driver is the actual data volume scanned, not the object count. A bucket with 1 million 1 KB files (1 GB total) costs $1 to scan; a bucket with 100 objects of 5 GB each (500 GB total) costs $500. The per-object overhead is minimal; the per-byte content-inspection cost dominates.

Automated Discovery: The Cheaper Broad-Coverage Path

Automated sensitive data discovery samples a configurable subset of objects per bucket continuously. The default sampling rate balances cost and coverage; you can tune it per-bucket if specific buckets need higher confidence.

The economics compared to full jobs:

Automated discovery vs full job — 10 TB bucket inventory

Prices in us-east-1

Same data, two scan strategies. Automated discovery covers all buckets at sampled depth; full jobs scan everything but cost the full data volume.

Dimension	Unit price	Example workload	Monthly cost
Full scan, monthly Compliance-grade coverage	$1/GB × 10 TB	Complete object-level coverage	$10,000/mo
Automated discovery, 5% sample 95% cheaper; finds which buckets have sensitive data	$1/GB × 500 GB	Broad bucket-level signal	$500/mo
Layered: automated + targeted full scans Best balance of cost and coverage	Mixed	20% of inventory flagged → full scan	~$2,500/mo
Quarterly full scan only on flagged buckets Schedule for budget control	Per-quarter cost	Compliance reporting	Bursty, scopeable

Full scan, monthly

$10,000/mo

Compliance-grade coverage

Unit price: $1/GB × 10 TB
Example workload: Complete object-level coverage

Automated discovery, 5% sample

$500/mo

95% cheaper; finds which buckets have sensitive data

Unit price: $1/GB × 500 GB
Example workload: Broad bucket-level signal

Layered: automated + targeted full scans

~$2,500/mo

Best balance of cost and coverage

Unit price: Mixed
Example workload: 20% of inventory flagged → full scan

Quarterly full scan only on flagged buckets

Bursty, scopeable

Schedule for budget control

Unit price: Per-quarter cost
Example workload: Compliance reporting

The layered approach — automated on everything, full scans on flagged subsets — is the right pattern for most compliance programs.

Custom Data Identifiers: Free at the Per-GB Rate

Custom data identifiers (regex patterns + keyword proximity rules + character distribution checks for your organization-specific data shapes — internal IDs, account number formats, proprietary classifications) are included in the standard per-GB discovery rate. There is no per-identifier surcharge.

This makes Macie cost-effective for organizations with unusual data-classification requirements. Build custom identifiers for your specific patterns; the discovery cost remains the same as the built-in identifiers.

The waste pattern: not using custom identifiers and instead running ad-hoc S3 queries via Athena to find specific patterns. Athena scans all data anyway and provides less structured findings; Macie’s per-GB rate covers the same scanning with managed pattern matching plus the integration with Security Hub and EventBridge.

Multi-Region: The Hidden Multiplier

Macie is enabled per region. Data replicated across regions (via S3 Cross-Region Replication or by application-level replication) means the same bytes get scanned multiple times if Macie runs in each region.

The mitigation: scope Macie to the source region. Replicated buckets in secondary regions can rely on the source-region scan results for compliance reporting — CRR guarantees byte-identical replication. Configure Macie organization-wide with explicit per-region enablement that matches your data-residency posture; don’t enable globally by default.

Bucket-Level Evaluation: The Per-Bucket Compounding

The $0.10/bucket/month evaluation charge covers bucket-policy review, encryption status, public access checks, and replication configuration. It is small per bucket but compounds at scale: a multi-account organization with 1,000 buckets pays $100/month for evaluation alone.

The line is non-negotiable when Macie is enabled (it is the base “Macie is on” charge). The mitigation is bucket consolidation rather than individual bucket cleanup — fewer buckets, lower evaluation bill. For organizations with bucket sprawl (one bucket per microservice per environment per region), the consolidated-bucket model with prefixes for tenancy reduces the evaluation line proportionally.

When to Use Macie vs Alternatives

Macie for managed sensitive-data classification on S3; custom Lambda+Comprehend pipeline only for unusual requirements.

Use when

Compliance-driven sensitive-data inventory across multi-bucket S3 deployments
Buckets receiving user-uploaded content where PII detection drives data handling decisions
Organizations needing managed PII / PHI classification with built-in identifiers (GDPR, HIPAA, PCI compliance)
Custom data identifiers for organization-specific patterns — included in the per-GB rate
Layered scanning: automated discovery on all buckets, full jobs on flagged subsets

Avoid when

Quarterly full scans on every bucket in inventory — pure waste compared to layered approach
Macie enabled in regions where sensitive data does not actually land
Macie on buckets containing only build artifacts, container images, or non-sensitive logs
Replicated data scanned in both source and destination regions — scan source only
DIY S3+Lambda+Comprehend pipelines at any scale where Macie covers the use case — operational cost dwarfs Macie

The compliance and operational value of managed classification almost always exceeds the bill. The optimization is in scope, not in choosing alternatives.

A 30-Day Macie Bill Cleanup Plan

Week 1 — Job scope audit. Identify scheduled discovery jobs. For each job with broad bucket scope, narrow to compliance-tracked buckets only. Use automated discovery for broader visibility on non-compliance buckets.

Week 2 — Regional enablement. Map Macie regional enablement to actual sensitive-data residency. Disable Macie in regions where sensitive data does not land (build artifact regions, log-only regions).

Week 3 — Automated discovery tuning. Review automated discovery sampling rates per bucket. Increase sampling on buckets that have generated findings; decrease on buckets consistently clean.

Week 4 — Custom identifier review. Validate that custom data identifiers cover the organization-specific patterns. Add identifiers for internal classifications previously discovered via ad-hoc Athena queries.

What This Post Doesn’t Cover

Finding triage workflows — covered in our Macie investigation guide.
Detective integration for investigation — Detective bills independently; covered in our security operations content.
Comparison with third-party DLP tools (Symantec, McAfee MVISION) — different operational model, different pricing structure.
DataZone classification overlap — DataZone provides a different classification layer for data lineage; covered separately.

If You Only Do One Thing This Week

Switch from monthly full-scan jobs to automated discovery on most buckets, with scheduled full scans only on buckets that have actually generated findings in the past quarter. Run aws macie2 list-classification-jobs to find currently-scheduled jobs; for each, check the bucket scope and the schedule. Replace broad-scope monthly jobs with automated discovery (toggle in the Macie console under Settings → Sensitive data discovery → Automated). The change typically cuts the discovery line by 70–90% with no loss of compliance coverage.

For the operational triage of Macie findings, the Macie investigation guide covers the design side.

Amazon Macie Pricing: Why Scanning a 500 GB Bucket Can Cost $500

The Two Macie Billing Dimensions