You enabled Macie for S3 compliance and your bill came in higher than expected. If that's you, the culprit is almost always the same dimension most teams don't account for: automated discovery object monitoring at scale.
The core issue is that Amazon Macie pricing has three independent billing dimensions, and two of them run continuously whether you're actively scanning or not. Most guides explain the rate card. This one explains what those rates actually cost at 50M objects, 500M objects, or 5 billion objects, and gives you concrete steps to reduce a bill that's already running.
All pricing is sourced from the Amazon Macie pricing page for US East (N. Virginia) as of March 2026. Rates vary by region.
How Amazon Macie Pricing Works
Macie has three billing dimensions, and this is where most confusion starts. Teams expect to pay only when Macie is actively scanning data. That's not how it works.
Two of the three dimensions run continuously the moment you enable Macie and, for automated discovery, as long as it stays enabled. You don't need to run a job. You don't need findings. You just need Macie to be on.
Dimension 1 - Bucket Inventory Monitoring
Every S3 general purpose bucket in your account gets counted, monitored, and billed at $0.10 per bucket per month. This starts after your 30-day free trial ends and continues as long as Macie is enabled.
A few things worth knowing:
- Charges apply even if a bucket is completely empty
- Billing is capped at 10,000 buckets per account. If you have 15,000 buckets, you pay for 10,000 (monitoring covers the most recently created or changed ones)
- Charges are prorated per day, so enabling Macie mid-month means a partial charge
At startup scale, this dimension is trivial. 50 buckets = $5/month. 500 buckets = $50/month. That's not where surprise bills come from.
Dimension 2 - Object Monitoring for Automated Discovery
This is the one that catches teams off guard. When automated sensitive data discovery is enabled, Macie tracks every S3 object in your account at $0.01 per 100,000 objects per month. This charges for the object inventory itself, not for reading any file content.
The numbers look small until you have a large S3 estate:
- 500,000 objects: $0.05/month (negligible)
- 50,000,000 objects: $5.00/month (still manageable)
- 5,000,000,000 objects: $500.00/month (per account, before Macie reads a single byte)
I've seen teams with centralized log buckets and data lake prefixes discover that their object counts are orders of magnitude larger than they assumed. The object monitoring charge is the primary driver of cost-shock at scale.
Dimension 3 - Data Inspection (Automated + Targeted Jobs)
When Macie actually reads and analyzes file content, it charges $1.00 per GB of uncompressed data. This applies to both automated sensitive data discovery and targeted discovery jobs, which are explicit full scans you configure and run manually.
The permanent 1 GB/month free tier covers the first gigabyte. It never expires and isn't tied to the 30-day trial. But 1 GB is a small amount in practice, one medium-sized targeted job will exceed it immediately.
A few billing behaviors worth knowing:
- Compressed and archive files are decompressed before scanning; the charge is based on uncompressed size (Macie assumes a 3:1 ratio for cost estimates, but actual charges reflect real uncompressed bytes)
- Unsupported file types like images are not analyzed and not charged
- Files exceeding per-type size limits are not analyzed and not charged (PDF max 1,024 MB; ZIP/GZ max 8 GB; non-binary text max 20 GB)
Free Trial vs. Free Tier: What You Actually Get
The terminology here trips people up. There are two different cost-reduction mechanisms, and they work very differently.
The 30-day free trial covers two of the three billing dimensions. The permanent free tier covers a sliver of the third. Targeted discovery jobs aren't included in the trial at all.
The 30-Day Free Trial
Every new account gets 30 days of:
- Bucket inventory monitoring (full coverage, no charge)
- Automated discovery object monitoring (full coverage, no charge)
- Automated discovery data inspection (up to 150 GB inspected, no charge)
What's not covered: targeted discovery jobs. If you run a targeted job on day one of your trial, you're billed for it from day one.
The Macie console shows your estimated post-trial monthly cost during the trial period. Pay attention to that number before the 30 days end. For accounts with more than 150 TB of data, the estimate may be lower than your actual post-trial cost because the trial's 150 GB data inspection cap limits what Macie can sample.
In an AWS Organization, each new member account gets its own independent 30-day trial. This makes staggered rollouts more cost-efficient than enabling everything at once.
One strategic use of the trial: run automated discovery during the 30 days to map your S3 estate and identify which buckets are likely to contain sensitive data. Then you can make a more targeted decision about which buckets deserve targeted jobs (and the associated cost) after the trial ends.
The Permanent 1 GB/Month Free Tier
The 1 GB/month free tier for data inspection applies forever, after the trial ends. It applies to both automated and targeted discovery.
In practice, it doesn't move the needle much. A single targeted job on a 10 GB bucket uses the entire free tier and costs $9 beyond that. The value is mostly symbolic at startup scale, but it does mean very small accounts (under 1 GB of scanned data per month) pay nothing for data inspection.
Amazon Macie Pricing Rates and Limits
At US East (N. Virginia) rates, here's the full rate table:
| Billing Dimension | Unit | Price |
|---|---|---|
| S3 bucket inventory and monitoring | Per bucket per month | $0.10 |
| S3 object monitoring (automated discovery) | Per 100,000 objects per month | $0.01 |
| Data inspected (automated discovery) | Per GB uncompressed | $1.00 |
| Data inspected (targeted discovery jobs) | Per GB uncompressed | $1.00 |
| Data inspected (first 1 GB/month) | Free tier | $0.00 |
Rates for other regions may differ. Use the AWS Pricing Calculator for region-specific rates. For context on how AWS cost estimation tools compare, see the AWS cost estimation tools guide.
Service Quotas That Affect Your Bill
Macie has a few quotas that directly affect how much you can spend, or rather, how much you can be protected from overspending.
| Quota | Default | Adjustable |
|---|---|---|
| S3 buckets monitored per account | 10,000 | No (natural cap) |
| Monthly targeted job data analysis | 5 TB | Yes, up to 1 PB via Service Quotas |
| Monthly targeted job data analysis (beyond 1 PB) | 1 PB | Yes, via AWS Support |
| S3 buckets excluded from automated discovery | 1,000 per account/org | No |
| S3 buckets per sensitive data discovery job | 1,000 | No |
The 5 TB monthly quota for targeted jobs is the most relevant for cost control. When reached, jobs pause automatically and resume at the start of the next calendar month. Macie notifies you via the console and AWS Personal Health Dashboard when you're approaching or at the limit.
I'd recommend keeping the default 5 TB quota in place unless you have a specific reason to raise it. It's a meaningful spending guardrail.
Pricing by Region
Macie is a regional service. Costs in one region have no effect on another region's billing. Running Macie in us-east-1 and eu-west-1 simultaneously means paying separately for both. The bucket monitoring rate ($0.10/bucket) is consistent across commercial regions, but data inspection rates may vary.
For exact non-US-East rates, use the AWS Pricing Calculator with the region selector.
Amazon Macie Pricing Examples: From Small to Enterprise Scale
AWS's official pricing page uses 15-bucket examples. They're useful for understanding the math, but they tell you nothing about what Macie costs when you have 100 buckets, 50 million objects, or a 20-account AWS Organization. Let's work through both.
The Official AWS Examples (15 Buckets)
These examples all assume post-trial billing with 15 S3 buckets.
Example 1: Empty buckets only
- Bucket monitoring: 15 x $0.10 = $1.50/month
Example 2: 15 buckets, 10M objects, 150 GB automated discovery
- Bucket monitoring: 15 x $0.10 = $1.50
- Object monitoring: (10,000,000 / 100,000) x $0.01 = $1.00
- Data inspection: (150 - 1) GB x $1.00 = $149.00
- Total: $151.50/month
Example 3: Example 2 + a 200 GB targeted discovery job
- Add: 200 GB x $1.00 = $200.00
- Total: $351.50/month
Example 4: Example 3 with 600 GB in the targeted job scope, but 100 GB are images (not analyzed)
- Targeted job data (500 GB supported): 500 x $1.00 = $500.00
- Total: $651.50/month
The examples are correct, but 15 buckets and 10M objects represents a small fraction of most real accounts.
Startup Scale (10 Buckets, 500K Objects, ~5 GB/Month Automated Discovery)
This is a small team using Macie for basic S3 compliance monitoring.
| Cost Component | Calculation | Monthly Cost |
|---|---|---|
| Bucket monitoring | 10 x $0.10 | $1.00 |
| Object monitoring | (500,000 / 100,000) x $0.01 | $0.05 |
| Data inspection | (5 - 1) GB x $1.00 | $4.00 |
| Total | ~$5.05/month |
At startup scale, Macie is inexpensive. The per-bucket charge dominates, and object monitoring is essentially free. Easy to justify for any team storing PII in S3.
Mid-Size Scale (100 Buckets, 50M Objects, ~200 GB/Month Automated Discovery)
This represents a growing company with multiple teams using S3 for data pipelines, backups, and application data.
| Cost Component | Calculation | Monthly Cost |
|---|---|---|
| Bucket monitoring | 100 x $0.10 | $10.00 |
| Object monitoring | (50,000,000 / 100,000) x $0.01 | $5.00 |
| Data inspection | (200 - 1) GB x $1.00 | $199.00 |
| Total | ~$214.00/month |
Data inspection is now the dominant cost. Adding targeted jobs on confirmed-sensitive buckets would push this higher, but object monitoring at $5/month is still manageable. If you're running a SOC 2 or HIPAA program, $214/month is a reasonable cost to have continuous S3 sensitive data discovery.
Enterprise Scale (500 Buckets, 5B Objects, 5 TB/Month Targeted Jobs, 20-Account Org)
This is where the math gets serious. Enterprises with data lakes, centralized logging, and large application footprints can have billions of S3 objects across their org.
Per-account estimate (large account hitting the 5 TB quota cap):
| Cost Component | Calculation | Monthly Cost |
|---|---|---|
| Bucket monitoring | 500 x $0.10 | $50.00 |
| Object monitoring | (5,000,000,000 / 100,000) x $0.01 | $500.00 |
| Automated discovery inspection | ~(100 - 1) GB x $1.00 (sampling varies) | ~$99.00 |
| Targeted jobs (at 5 TB quota cap) | 5,000 GB x $1.00 | $5,000.00 |
| Per-account total | ~$5,649/month |
The 1 GB/month free tier is consumed by automated discovery first, so targeted jobs are billed at full rate. Automated discovery data inspection varies by month depending on sampling depth and how many new objects enter the estate — the ~100 GB estimate assumes a mature baseline where most objects have been previously sampled.
Object monitoring alone is $500/month per account at 5B objects, before Macie reads a single file. That's the dimension most guides don't show you.
A 20-account org where all accounts are this size is roughly $113,000/month in the worst case. Realistically, most orgs have one or two large production accounts and many smaller dev/staging accounts. A more typical 20-account estimate might be $10,000-25,000/month depending on object distribution.
The 5 TB quota cap does meaningful work here. Without it, targeted jobs on a 5B-object estate could be significantly more expensive.
Amazon Macie Pricing Calculator
Rather than estimating manually, use the Amazon Macie pricing calculator to enter your actual account data. The calculator handles all three billing dimensions, automatically deducts the 1 GB/month free tier, and flags when your targeted job estimate approaches the 5 TB monthly quota cap.
For multi-account organizations, you can enter per-account data to see both individual account estimates and org-level totals. It also shows a breakdown by billing dimension so you can see which one is driving your costs.
Multi-Account and AWS Organizations Pricing
Macie's billing model in an AWS Organization has a few mechanics that aren't obvious from the pricing page. Understanding them matters for accurate cost forecasting and for taking advantage of the free trial across new member accounts.
The key point is that Macie charges are per-account, not per-org. There's no pooling of object counts or bucket counts across accounts. Each account is billed independently for its own bucket monitoring, object monitoring, and data inspection.
Per-Account Charges and Free Trial Mechanics
Every account in an org, including the administrator account, is billed for its own Macie usage. The administrator account does not absorb member account charges by delegating Macie administration. When the administrator enables automated discovery for member accounts, those discovery costs appear in each applicable member account's cost estimate.
This matters for rollout planning. Each new member account added to an org gets its own independent 30-day free trial. If you're adding a new account for a new team or product, that account gets 30 days of free bucket monitoring and automated discovery before charges begin. A staggered rollout that adds accounts over time can materially reduce the org's total Macie spend in the first few months.
The one pooling mechanism that does exist is consolidated billing volume discounts, but they're not reflected in the Macie console cost estimates. For accurate volume discount calculations, use AWS Billing and Cost Management rather than the per-account estimates in Macie's Usage tab.
How the Macie Administrator Account Views Org Spend
The Usage tab in the Macie administrator account shows the organization total, current-month estimate, and a per-account breakdown. You can see which accounts are driving the highest costs without leaving the Macie console.
For programmatic access, two API operations are relevant:
# Estimated cost totals for the current calendar month or rolling 30-day window
aws macie2 get-usage-totals
# Per-account breakdown (in an organization)
aws macie2 get-usage-statistics
The get-usage-totals response breaks down costs by dimension (bucket monitoring, object monitoring, data inspection for automated discovery, data inspection for targeted jobs), which makes it easy to identify which dimension is growing unexpectedly.
Automated Discovery vs. Targeted Jobs: Which Costs Less?
Before jumping to cost reduction tactics, it's worth understanding this tradeoff, because choosing the right scan mode has a larger impact on your bill than most individual optimizations.
The short version: automated discovery uses intelligent sampling and is designed for continuous broad coverage at low cost. Targeted discovery jobs perform complete scans and are designed for specific, high-priority buckets where comprehensive coverage matters.
How Automated Discovery Samples Data (and Why It Costs Less)
Automated discovery clusters S3 objects by bucket name, key prefix, file type, and storage class. Instead of analyzing every object, it scans a representative sample from each cluster. This means the data inspection cost is a fraction of what a full scan would cost.
More importantly, automated discovery tracks previously-scanned objects and skips them in subsequent monthly runs. The first month costs the most; subsequent months only process new or changed objects. As your baseline matures, the data inspection charge from automated discovery tends to decrease over time.
The tradeoff: sampling means incomplete coverage. Automated discovery may miss sensitive data in underrepresented clusters. It's designed to identify where sensitive data probably lives, not to provide audit-ready comprehensive coverage.
Targeted jobs always perform a complete re-scan of every object within scope. If you run the same targeted job twice, you pay for the full data volume both times.
When Targeted Jobs Are Worth the Extra Cost
I'd recommend targeted jobs in three scenarios:
- After automated discovery flags a bucket as likely containing PII. Automated discovery narrows the field; targeted jobs confirm what's there with full coverage.
- For compliance audits requiring documented full-scan coverage. SOC 2, PCI-DSS, and HIPAA audits often require evidence of comprehensive data classification, not sampling.
- For specific one-time investigations. A targeted job on a specific bucket you need to evaluate is often cheaper than waiting for automated discovery to sample it.
Before running any targeted job, check the cost estimate in the job creation wizard. It shows per-bucket and total job cost projections. I've seen teams skip this and end up surprised by how much a "quick scan" costs when the bucket turned out to be much larger than expected.
The AWS Security Blog guide on reducing Macie costs covers the automated discovery sampling mechanics in detail if you want to go deeper.
How to Reduce Your Amazon Macie Bill
Three main levers: reduce what automated discovery monitors, reduce what targeted jobs scan, and use the quota cap as a spending ceiling. Most bills can be reduced 20-40% with the first tactic alone.
Exclude Non-Sensitive Buckets from Automated Discovery
Operational log buckets (CloudTrail logs, VPC flow logs, ALB access logs, S3 server access logs) contain no PII. They're almost never why you enabled Macie. But they often represent a significant share of your total object count, which means they're inflating both your object monitoring charge and your data inspection charge.
Excluding these buckets reduces object monitoring costs proportionally to their share of your total S3 object estate. For accounts with centralized logging, log buckets can represent 20-40% of total object count.
To add exclusions via the console: Macie settings > Automated discovery > Excluded buckets > Add.
# Verify automated discovery configuration status
aws macie2 get-automated-discovery-configuration
The maximum is 1,000 bucket exclusions per account or organization. For most teams, that's more than enough.
Before/after for a mid-size account (100 buckets, 50M objects):
| Scenario | Object Count | Object Monitoring | Data Inspection | Monthly Delta |
|---|---|---|---|---|
| Before exclusions | 50,000,000 | $5.00 | $199.00 | - |
| After excluding 15 log buckets (20M objects) | 30,000,000 | $3.00 | ~$140.00 | -$61/month |
That $61/month reduction is just from turning off automated discovery on buckets that were never going to produce useful findings.
Scope Targeted Jobs to What Actually Matters
Targeted jobs are the highest-cost dimension by volume, and they offer the most granular controls for scoping. Here are the filters I'd apply in priority order:
- Last-modified date filter: Set to last 30 or 90 days. This is the single most effective scope reduction for buckets with stable historical data.
- Prefix exclusion: Exclude
AWSLogs/prefix and other operational prefixes from scan scope. - Random sampling percentage: For broad coverage checks on lower-priority buckets, a 10-20% random sample reduces cost proportionally.
- File extension filter: If you know a bucket's content profile (only CSVs, only Parquet), filter to only those types.
- Tag-based inclusion: Use
Environment: Productiontag filters to ensure targeted jobs run only on production data.
For details on forecasting discovery job costs before running them, the AWS docs cover the wizard's cost estimation feature.
Use the 5 TB Quota Cap as a Spending Ceiling
The default 5 TB/month quota for targeted discovery jobs isn't just a limit, it's a spending ceiling you should keep in place. When the quota is reached, jobs pause automatically and resume on the first day of the next calendar month. You won't get charged for paused jobs.
Pair the quota cap with an AWS Budgets alert at 80% of your projected monthly Macie spend. By the time you're at 80%, you have time to investigate whether spending is on track or something has changed.
Don't raise the quota unless you have a specific reason. The default 5 TB is generous for most accounts.
How to Disable Macie (and What Still Charges After You Do)
Disabling Macie fully is sometimes the right call, especially for dev or sandbox accounts. Here's what to know before you do it.
To disable automated discovery only (stops object monitoring and data inspection charges, keeps bucket monitoring):
aws macie2 update-automated-discovery-configuration --status DISABLED
In the console: Macie settings > Automated discovery > Disable.
Note that object monitoring charges may continue for up to 48 hours after disabling automated discovery. Plan accordingly if you're trying to stop charges at month-end.
To disable Macie entirely:
aws macie2 disable-macie
In the console: Macie settings > Account > Disable Amazon Macie.
The same 48-hour caveat applies here: bucket monitoring and object monitoring charges continue for up to 48 hours after you submit the disable request. You'll pay for up to two days of monitoring after disabling.
In an AWS Organization, the Macie administrator must disable Macie for each member account individually, or use the organization-level setting to disable it org-wide.
Monitor Costs Programmatically with the Usage API
The Macie console's Usage tab shows month-to-date spend, but for monitoring in CI pipelines, dashboards, or budget alerting, the API is more useful:
# Current month-to-date cost breakdown by dimension
aws macie2 get-usage-totals
# Per-account breakdown for org admins
aws macie2 get-usage-statistics
Both operations accept a time range parameter: MONTH_TO_DATE (default) or PAST_30_DAYS for a rolling window. The JSON output includes cost estimates per dimension, which makes it straightforward to build alerts on the dimensions growing unexpectedly.
Integrate with AWS Budgets using Macie as the service filter to set threshold alerts and SNS actions before costs exceed your budget.
What Else Shows Up on Your Amazon Macie Bill
The three Macie dimensions aren't the only charges that appear when Macie is active. When running targeted discovery jobs, Macie issues standard S3 GET and LIST requests to read the objects being scanned. These charges appear on your S3 bill, not your Macie bill, but they're real costs triggered by Macie activity.
For large targeted jobs on buckets with millions of objects, S3 request charges can add up. The Amazon S3 pricing guide covers request cost details if you need to estimate this component.
A few other adjacent charges to be aware of:
- Amazon EventBridge: If you've configured Macie to send findings to EventBridge for routing to SIEM tools or ticketing systems, EventBridge charges apply per event
- AWS Security Hub: Enabling Security Hub integration for Macie findings incurs Security Hub ingestion charges
- S3 storage for discovery results: Sensitive data discovery results are stored in an S3 bucket you designate, incurring standard S3 storage charges
One thing Macie no longer requires: S3 data events in AWS CloudTrail. That was a requirement in the original Macie before the enhanced version launched in May 2020. If you're working from older documentation that references CloudTrail S3 data events as a Macie prerequisite, you can ignore it. The enhanced Macie handles this natively.
Amazon Macie vs. GuardDuty: Cost Comparison
Security teams often ask whether Macie and GuardDuty are alternatives to each other. They're not. They address different threats with different billing models.
GuardDuty detects account-level threats, compromised credentials, anomalous API behavior, and runtime attacks. Macie detects sensitive data exposure and PII misclassification in S3. Most compliance-driven teams need both.
| Dimension | Amazon Macie | Amazon GuardDuty |
|---|---|---|
| Primary billing metric | Per bucket + per 100K objects + per GB scanned | Per log event volume (CloudTrail, VPC flow, DNS) |
| Data inspection charge | $1.00/GB | N/A (not a data inspection service) |
| Malware scanning | N/A | $1.27/GB (S3 Malware Protection, varies by region) |
| Free trial | 30 days (automated discovery + bucket monitoring) | 30 days (all features) |
| Permanent free tier | 1 GB/month data inspection | None |
| Primary use case | PII and sensitive data discovery in S3 | Threat detection, account compromise, runtime anomalies |
| Best for | Data privacy compliance (HIPAA, PCI-DSS, GDPR) | Security event detection and incident response |
The billing models are fundamentally different: Macie scales with your S3 estate size (bucket count, object count, data volume), while GuardDuty scales with your API and network activity. For a full Amazon GuardDuty pricing breakdown including all seven protection plans, see the dedicated guide.
Is Amazon Macie Worth the Cost?
At startup scale (10-50 buckets, under 1M objects), Macie costs $5-20/month. That's easy to justify for any team storing PII in S3. You'd spend more on a single support ticket trying to figure out what data is in which bucket.
At mid-size scale (100 buckets, 50M objects), roughly $200/month is defensible if you have compliance requirements. SOC 2, PCI-DSS, and HIPAA all benefit from documented S3 data classification. The question is whether the findings you're getting from automated discovery are actionable. If Macie is running and no one is reviewing findings, that's a signal to either operationalize it or pause it.
At enterprise scale (500+ buckets, billions of objects), cost requires deliberate scoping. Without bucket exclusions and targeted job discipline, per-account monthly costs can run into thousands of dollars. A large org can easily spend more on Macie than on GuardDuty. At that scale, I'd recommend:
- Automated discovery only, with aggressive log bucket exclusions
- Targeted jobs quarterly on buckets flagged by automated discovery, not on everything
- A clear process for acting on findings, so the discovery cost produces value
The honest trade-off: if you're running a 500-account enterprise org with data lakes holding 50 billion objects, Macie's object monitoring charge alone could be $5,000+/month before any scanning. At that scale, it's worth evaluating whether automated discovery's sampling approach is giving you the coverage you need, or whether a different architecture (like tagging data classification at bucket creation time and running targeted jobs only on explicitly sensitive buckets) reduces cost while maintaining compliance posture.
Key Takeaways
- Two of Macie's three billing dimensions (bucket monitoring and object monitoring) run continuously as long as Macie is enabled, regardless of active scanning
- Object monitoring is $0.01 per 100,000 objects per month, which looks trivial but reaches $500/month per account at 5B objects
- The 5 TB monthly quota cap for targeted jobs is a meaningful spending ceiling. Keep the default unless you have a reason to raise it.
- Excluding log and operational buckets from automated discovery is the highest-ROI cost reduction tactic for most accounts. It reduces both object monitoring and data inspection charges.
- Use automated discovery to map your S3 estate first, then run targeted jobs only on the buckets automated discovery flags as likely containing sensitive data
Use the Macie pricing calculator to estimate your specific monthly cost based on your actual S3 footprint. If you're evaluating Macie alongside GuardDuty, the GuardDuty pricing guide covers its seven protection plans in the same level of detail.
What's your experience been with Macie costs? If you've found effective scoping strategies beyond bucket exclusions, share them in the comments below.
CloudBurn
Shift-Left Your AWS Cost Optimization
CloudBurn runs deterministic cost rules against your IaC in CI and your live AWS account in production. One engine, two modes. Open source, install with brew or npm.