aws_macie2_account cost estimation
Managed sensitive-data discovery for S3, billed per bucket evaluated plus per GB inspected. 50 buckets + 100 GB inspected is ~$105/month.
An aws_macie2_account enables Amazon Macie, which discovers and classifies sensitive data (PII, credentials, financial data) in S3. Cost has two parts: bucket evaluation for automated security and access monitoring (~$0.10 per bucket per month), and sensitive-data inspection (~$1.00/GB of objects analyzed, with volume tiers lowering the rate at scale). Evaluating 50 buckets and inspecting 100 GB is ~$5 + $100 = $105/month.
The inspection charge is the cost driver, and it scales with how much object data Macie analyzes. Bucket evaluation is cheap and broad; deep content inspection is where the GB-based cost accrues — so the lever is scoping inspection jobs to the buckets and data that actually warrant sensitive-data classification, rather than scanning the entire data estate repeatedly.
Macie samples intelligently and supports one-time and scheduled jobs scoped by bucket, prefix, and object criteria. Running targeted, incremental inspection — not full scans of everything on a tight schedule — keeps the per-GB cost controlled.
c3x prices Macie from bucket count and inspected GB as usage, so projected cost can be modelled.
Terraform example
A minimal but realistic configuration that C3X can estimate.
resource "aws_macie2_account" "main" {
status = "ENABLED"
finding_publishing_frequency = "FIFTEEN_MINUTES"
}Pricing dimensions
What you actually pay for when you provision aws_macie2_account.
| Dimension | Unit | What's being charged |
|---|---|---|
| Buckets evaluated | per bucket-month | Automated security/access evaluation per S3 bucket. Cheap and broad. $0.10/bucket-month → 50 buckets = $5/month |
| Data inspected | per GB | Sensitive-data content inspection of object data, with tiers lowering the rate at scale. The cost driver. ~$1.00/GB (first tier) → 100 GB = $100/month |
Sample C3X output
50 buckets evaluated + 100 GB of objects inspected in a month:
aws_macie2_account.main
├─ Buckets evaluated 50 bucket-months $5.00
└─ Data inspected 100 GB $100.00
Monthly $105.00Optimization tips
Common ways to reduce aws_macie2_account cost without changing the workload.
Scope inspection jobs to data that warrants it
Proportional to GB not inspectedThe per-GB inspection charge is the cost driver. Target sensitive-data discovery jobs at the buckets and prefixes likely to hold PII/credentials, rather than scanning the entire data estate repeatedly.
Use incremental, scheduled jobs
Large vs repeated full scansRun scheduled jobs that inspect only new/changed objects rather than full re-scans of everything. Macie's sampling and object criteria let you cover the estate without re-paying to inspect unchanged data.
Rely on cheap bucket evaluation for broad coverage
Inspection cost on low-risk bucketsAutomated bucket evaluation (~$0.10/bucket) gives broad security and access posture cheaply. Reserve the expensive content inspection for buckets that genuinely need sensitive-data classification.
FAQ
How is Amazon Macie billed?
Two parts: bucket evaluation for security/access monitoring (~$0.10/bucket-month) and sensitive-data inspection (~$1.00/GB of objects analyzed, tiered down at scale). 50 buckets + 100 GB inspected is ~$105/month. Inspection is the cost driver.
Why is my Macie bill high?
The per-GB content inspection. Broad bucket evaluation is cheap, but deep sensitive-data inspection scales with how much object data you analyze. Scope inspection jobs to relevant buckets and use incremental scans to control it.
How does c3x estimate the cost?
Macie is usage-driven, so c3x models it from bucket count and inspected GB in c3x-usage.yml. There's no instance to price; the estimate reflects projected evaluation and inspection volume.
Related resources
Estimate this resource in your own Terraform
Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_macie2_account.