# Forecasting and monitoring Macie costs
To help you forecast and monitor your costs for using Amazon Macie, Macie calculates and provides estimated usage costs for your account. With this data, you can determine whether to adjust your use of the service or your account quotas. If you’re currently participating in a 30-day free trial of Macie, you can use this data to estimate your costs for using Macie after the free trial ends. You can also check the status of your trial.
You can review your estimated usage costs on the Amazon Macie console and access them programmatically with the Amazon Macie API. If you’re the Macie administrator for an organization, you can review and access both aggregated data for your organization and breakdowns of the data for accounts in your organization.
In addition to the estimated usage costs that Macie provides, you can review and monitor your actual costs by using AWS Billing and Cost Management. AWS Billing and Cost Management provides features that are designed to help you track and analyze your costs for AWS services, and manage budgets for your account or organization. It also provides features that can help you forecast usage costs based on historical data. To learn more, see the [AWS Billing User Guide](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-what-is.html).
**Topics**
+ [Understanding estimated usage costs](account-mgmt-costs-calculations.md)
+ [Reviewing estimated usage costs](account-mgmt-costs-review.md)
+ [Participating in the free trial](account-mgmt-free-trial.md)
# Understanding estimated usage costs for Macie
Amazon Macie pricing is based on the following dimensions.
**Preventative control monitoring**
These costs derive from maintaining an inventory of your Amazon Simple Storage Service (Amazon S3) general purpose buckets, and evaluating and monitoring the buckets for security and access control. For more information, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md).
You’re charged based on the total number of S3 general purpose buckets that Macie evaluates and monitors for your account, for up to 10,000 buckets. The charges are prorated per day.
**Object monitoring for automated sensitive data discovery**
These costs derive from monitoring and evaluating your S3 bucket inventory to identify S3 objects that are eligible for analysis by automated sensitive data discovery. For more information, see [How automated sensitive data discovery works](discovery-asdd-how-it-works.md).
You’re charged based on the total number of S3 objects that are stored in general purpose buckets for your account. The charges are prorated per day.
**Object analysis by sensitive data discovery jobs and automated sensitive data discovery**
These costs derive from analyzing S3 objects and reporting sensitive data that Macie finds in the objects. This includes analyses and reporting by sensitive data discovery jobs and by automated sensitive data discovery. For more information, see [Discovering sensitive data](data-classification.md).
You’re charged based on the amount of uncompressed data that Macie analyzes in S3 objects. There’s no charge for objects that Macie can’t analyze for reasons such as use of an unsupported Amazon S3 storage class, use of an unsupported file or storage format, or permissions settings. In addition, these costs don’t vary based on the number of sensitive data findings produced by your jobs or by automated sensitive data discovery.
To manage costs for automated sensitive data discovery, you can exclude individual S3 buckets from the analyses. For example, you might exclude buckets that are known to meet your organization's security and compliance requirements. If your account is part of an organization that centrally manages multiple Macie accounts, an additional option is to selectively enable or disable automated sensitive data discovery for individual accounts in your organization. For more information, see [Configuring settings for automated sensitive data discovery](discovery-asdd-account-configure.md).
Costs for sensitive data discovery jobs are restricted by the monthly [sensitive data discovery quota](macie-quotas.md) for your account. (The default quota is 5 TB of data.) If a job is running and the analysis of eligible objects reaches this quota, Macie automatically pauses the job until the next calendar month starts and the monthly quota is reset for your account, or you increase the quota for your account.
If you’re the Macie administrator for an organization, costs for sensitive data discovery jobs are restricted by the monthly sensitive data discovery quota for each account that you analyze data for. The quota for a member account defines the maximum amount of data that your jobs and the member account’s jobs can analyze for the account during a calendar month. If a job is running and the analysis of eligible objects reaches this quota for a member account, Macie stops analyzing objects in buckets that the account owns. When Macie finishes analyzing objects for all other accounts that haven’t met the quota, Macie automatically pauses the job. If it’s a one-time job, Macie automatically resumes the job when the next calendar month starts or the quota is increased for all the affected accounts, whichever occurs first. If it’s a periodic job, Macie automatically resumes the job when the next run is scheduled to start or the next calendar month starts, whichever occurs first. If a scheduled run starts before the next calendar month starts or the quota is increased for an affected account, Macie doesn’t analyze objects in buckets that the account owns.
For helpful tips about managing or reducing sensitive data discovery costs, see the following blog post on the *AWS Security Blog*: [How to use Amazon Macie to reduce the cost of discovering sensitive data](https://aws.amazon.com/blogs/security/how-to-use-amazon-macie-to-reduce-the-cost-of-discovering-sensitive-data/).
For detailed information and examples of usage costs, see [Amazon Macie pricing](https://aws.amazon.com/macie/pricing/).
When you use Macie to review your estimated usage costs, it’s important to understand how the cost estimates are calculated. Consider the following:
+ The estimates are reported in US dollars (USD) and are for the current AWS Region only. If you use Macie in multiple Regions, the data isn’t aggregated for all the Regions in which you use Macie.
+ On the console, the estimates are inclusive for the current calendar month to date. If you query the data programmatically with the Amazon Macie API, you can choose an inclusive time range for the estimates. This can be a rolling time range of the preceding 30 days or the current calendar month to date.
+ The estimates don’t reflect all the discounts that might apply to your account. The exception is discounts that derive from Regional volume pricing tiers, as described in [Amazon Macie pricing](https://aws.amazon.com/macie/pricing/). If your account qualifies for this type of discount, the estimates reflect that discount.
+ If you're the Macie administrator for an organization, the estimates don’t reflect combined usage volume discounts for your organization. For information about these discounts, see [Volume discounts](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/useconsolidatedbilling-effective.html) in the *AWS Billing User Guide*.
+ For preventative control monitoring, the estimate is based on the average daily cost for the applicable time range. The cost is prorated per day.
+ For automated sensitive data discovery, the overall estimate is based on the average daily cost for object monitoring (prorated per day) and the amount of uncompressed data that Macie has analyzed thus far during the applicable time range. If you're the Macie administrator for an organization and you enable automated sensitive data discovery for member accounts, the estimated costs of those activities are included in the estimates for each applicable member account.
+ For sensitive data discovery jobs, the estimate is based on the amount of uncompressed data that your jobs have analyzed thus far during the applicable time range. If you're the Macie administrator for an organization and you run jobs that analyze data for member accounts, the estimated costs of those jobs are included in the estimate for each applicable member account.
+ If your account is a member account in an organization and your Macie administrator enables automated sensitive data discovery or runs sensitive data discovery jobs that analyze your data, the estimated costs of those activities are included in the estimates for your account.
+ The estimates don’t include costs that you incur for using other AWS services with certain Macie features. For example, using customer managed AWS KMS keys to decrypt S3 objects that you want to inspect for sensitive data.
Also note that Macie provides a monthly free tier for analysis of S3 objects by sensitive data discovery jobs and automated sensitive data discovery. Each month, there’s no charge to analyze up to 1 GB of data to discover and report sensitive data in S3 objects. If more than 1 GB of data is analyzed during a given month, sensitive data discovery charges begin to accrue for your account after the first 1 GB of data. If less than 1 GB of data is analyzed during a given month, the remaining allocation doesn't roll over to the next month. If your account is part of an organization with consolidated billing, the free tier applies to the combined amount of data analyzed for your organization. In other words, there’s no charge to analyze up to 1 GB of data each month for all the accounts in your organization.
# Reviewing estimated usage costs for Macie
To review your current estimated usage costs for Amazon Macie, you can use the Amazon Macie console or the Amazon Macie API. Both the console and the API provide estimated costs for Macie pricing dimensions. If you’re currently participating in a 30-day free trial, you can use this data to estimate your costs for using Macie after your free trial ends. For information about Macie pricing dimensions and considerations, see [Understanding estimated usage costs](account-mgmt-costs-calculations.md). For detailed information and examples of usage costs, see [Amazon Macie pricing](https://aws.amazon.com/macie/pricing/).
In Macie, estimated usage costs are reported in US dollars (USD) and apply only to the current AWS Region. If you use the console to review the data, the cost estimates are for the current calendar month to date (inclusively). If you query the data programmatically with the Amazon Macie API, you can specify an inclusive time range for the estimates, either a rolling time range of the preceding 30 days or the current calendar month to date.
**Topics**
+ [Reviewing estimated usage costs on the console](#account-mgmt-costs-review-console)
+ [Querying estimated usage costs with the API](#account-mgmt-costs-review-api)
## Reviewing estimated usage costs on the Amazon Macie console
On the Amazon Macie console, cost estimates are organized as follows:
+ **Preventative control monitoring** – This is the estimated cost of maintaining an inventory of your Amazon Simple Storage Service (Amazon S3) general purpose buckets, and evaluating and monitoring the buckets for security and access control.
+ **Sensitive data discovery jobs** – This is the estimated cost of the sensitive data discovery jobs that you ran.
+ **Automated sensitive data discovery** – These are the estimated costs of performing automated sensitive data discovery. This includes monitoring and evaluating your S3 bucket inventory to identify S3 objects that are eligible for analysis. It also includes analyzing eligible objects and reporting sensitive data statistics, findings, and other types of results.
To review estimates for automated sensitive data discovery by using the console, you must be the Macie administrator for an organization or have a standalone Macie account.
**To review your estimated usage costs on the console**
Follow these steps to review your estimated usage costs by using the Amazon Macie console.
1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).
1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to review your estimated costs.
1. In the navigation pane, choose **Usage**.
If you have a standalone Macie account or a member account in an organization, the **Usage** page displays a breakdown of the estimated usage costs for your account.
If you’re the Macie administrator for an organization, the **Usage** page lists accounts in your organization. In the table:
+ **Service quota – Jobs** – This is the current monthly quota for running sensitive data discovery jobs to analyze S3 objects in buckets that an account owns.
+ **Free trial** – These fields indicate whether an account is currently participating in the free trial for preventative control monitoring or automated sensitive data discovery. A **Free trial** field is empty if the applicable free trial has ended for an account.
+ **Total** – This is the total estimated cost for an account.
The **Estimated costs** section shows the total estimated cost for your organization and a breakdown of those costs. To review the breakdown of estimated costs for a specific account in your organization, choose the account in the table. The **Estimated costs** section then shows this breakdown. To show this data for another account, choose the account in the table. To clear your account selection, choose **X** next to the account ID.
## Querying estimated usage costs with the Amazon Macie API
To query your estimated usage costs programmatically, you can use the following operations of the Amazon Macie API:
+ **GetUsageTotals** – This operation returns total estimated usage costs for your account, grouped by usage metric. If you’re the Macie administrator for an organization, this operation returns aggregated cost estimates for all the accounts in your organization. To learn more about this operation, see [Usage Totals](https://docs.aws.amazon.com/macie/latest/APIReference/usage.html) in the *Amazon Macie API Reference*.
+ **GetUsageStatistics** – This operation returns usage statistics and related data for your account, grouped by account and then by usage metric. The data includes total estimated usage costs and current account quotas. As applicable, it also indicates when your 30-day free trial started for Macie and for automated sensitive data discovery. If you’re the Macie administrator for an organization, this operation returns a breakdown of the data for all the accounts in your organization. You can customize your query by sorting and filtering the query results. To learn more about this operation, see [Usage Statistics](https://docs.aws.amazon.com/macie/latest/APIReference/usage-statistics.html) in the *Amazon Macie API Reference*.
When you use either operation, you can optionally specify an inclusive time range for the data. This time range can be a rolling time range of the preceding 30 days (`PAST_30_DAYS`) or the current calendar month to date (`MONTH_TO_DATE`). If you don’t specify a time range, Macie returns the data for the preceding 30 days.
The following examples show how to query estimated usage costs and statistics by using the [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html). You can also query the data by using a current version of another AWS command line tool or an AWS SDK, or by sending HTTPS requests directly to Macie. For information about AWS tools and SDKs, see [Tools to Build on AWS](https://aws.amazon.com/developer/tools/).
**Topics**
+ [Querying total estimated usage costs](#account-mgmt-costs-review-api-totals)
+ [Querying usage statistics](#account-mgmt-costs-review-api-statistics)
### Example 1: Querying total estimated usage costs
To query total estimated usage costs by using the AWS CLI, run the [get-usage-totals](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-usage-totals.html) command and optionally specify a time range for the data. For example:
```
C:\> aws macie2 get-usage-totals --time-range MONTH_TO_DATE
```
Where *`MONTH_TO_DATE`* specifies the current calendar month to date as the time range for the data.
If the command runs successfully, you receive output similar to the following.
```
{
"timeRange": "MONTH_TO_DATE",
"usageTotals": [
{
"currency": "USD",
"estimatedCost": "153.45",
"type": "SENSITIVE_DATA_DISCOVERY"
},
{
"currency": "USD",
"estimatedCost": "65.18",
"type": "AUTOMATED_SENSITIVE_DATA_DISCOVERY"
},
{
"currency": "USD",
"estimatedCost": "1.51",
"type": "DATA_INVENTORY_EVALUATION"
},
{
"currency": "USD",
"estimatedCost": "0.98",
"type": "AUTOMATED_OBJECT_MONITORING"
}
]
}
```
Where `estimatedCost` is the total estimated usage cost for the associated usage metric (`type`):
+ `SENSITIVE_DATA_DISCOVERY`, for analyzing S3 objects with sensitive data discovery jobs.
+ `AUTOMATED_SENSITIVE_DATA_DISCOVERY`, for analyzing S3 objects with automated sensitive data discovery.
+ `DATA_INVENTORY_EVALUATION`, for monitoring and evaluating S3 general purpose buckets for security and access control.
+ `AUTOMATED_OBJECT_MONITORING`, for evaluating and monitoring your S3 bucket inventory to identify S3 objects that are eligible for analysis by automated sensitive data discovery.
### Example 2: Querying usage statistics
To query usage statistics by using the AWS CLI, run the [get-usage-statistics](https://docs.aws.amazon.com/cli/latest/reference/macie2/get-usage-statistics.html) command. You can optionally sort, filter, and specify a time range for the query results. The following example retrieves usage statistics for a Macie administrator account for the preceding 30 days. The results are sorted in ascending order by AWS account ID.
For Linux, macOS, or Unix, using the backslash (\$1) line-continuation character to improve readability:
```
$ aws macie2 get-usage-statistics \
--sort-by '{"key":"accountId","orderBy":"ASC"}' \
--time-range PAST_30_DAYS
```
For Microsoft Windows, using the caret (^) line-continuation character to improve readability:
```
C:\> aws macie2 get-usage-statistics ^
--sort-by={\"key\":\"accountId\",\"orderBy\":\"ASC\"} ^
--time-range PAST_30_DAYS
```
Where:
+ *accountId* specifies the field to use to sort the results.
+ *ASC* is the sort order to apply to the results, based on the value for the specified field (*accountId*).
+ *`PAST_30_DAYS`* specifies the preceding 30 days as the time range for the data.
If the command runs successfully, Macie returns a `records` array. The array contains an object for each account that’s included in the query results. For example:
```
{
"records": [
{
"accountId": "111122223333",
"automatedDiscoveryFreeTrialStartDate": "2024-01-28T16:00:00+00:00",
"freeTrialStartDate": "2020-05-20T12:26:36.917000+00:00",
"usage": [
{
"currency": "USD",
"estimatedCost": "1.51",
"type": "DATA_INVENTORY_EVALUATION"
},
{
"currency": "USD",
"estimatedCost": "65.18",
"type": "AUTOMATED_SENSITIVE_DATA_DISCOVERY"
},
{
"currency": "USD",
"estimatedCost": "153.45",
"serviceLimit": {
"isServiceLimited": false,
"unit": "TERABYTES",
"value": 50
},
"type": "SENSITIVE_DATA_DISCOVERY"
},
{
"currency": "USD",
"estimatedCost": "0.98",
"type": "AUTOMATED_OBJECT_MONITORING"
}
]
},
{
"accountId": "444455556666",
"automatedDiscoveryFreeTrialStartDate": "2024-01-28T16:00:00+00:00",
"freeTrialStartDate": "2020-05-18T16:26:36.917000+00:00",
"usage": [
{
"currency": "USD",
"estimatedCost": "1.58",
"type": "DATA_INVENTORY_EVALUATION"
},
{
"currency": "USD",
"estimatedCost": "63.13",
"type": "AUTOMATED_SENSITIVE_DATA_DISCOVERY"
},
{
"currency": "USD",
"estimatedCost": "145.12",
"serviceLimit": {
"isServiceLimited": false,
"unit": "TERABYTES",
"value": 50
},
"type": "SENSITIVE_DATA_DISCOVERY"
},
{
"currency": "USD",
"estimatedCost": "1.02",
"type": "AUTOMATED_OBJECT_MONITORING"
}
]
}
],
"timeRange": "PAST_30_DAYS"
}
```
Where `estimatedCost` is the total estimated usage cost for the associated usage metric (`type`) for an account:
+ `DATA_INVENTORY_EVALUATION`, for monitoring and evaluating S3 general purpose buckets for security and access control.
+ `AUTOMATED_SENSITIVE_DATA_DISCOVERY`, for analyzing S3 objects with automated sensitive data discovery.
+ `SENSITIVE_DATA_DISCOVERY`, for analyzing S3 objects with sensitive data discovery jobs.
+ `AUTOMATED_OBJECT_MONITORING`, for evaluating and monitoring the account's S3 bucket inventory to identify S3 objects that are eligible for analysis by automated sensitive data discovery.
# Participating in the free trial of Macie
When you enable Amazon Macie for the first time, your AWS account is automatically enrolled in the 30-day free trial of Macie. This includes individual member accounts in an AWS Organizations organization.
During the free trial, there’s no charge for using Macie in a specific AWS Region to:
+ **Perform preventative control monitoring** – This includes generating and maintaining an inventory of your Amazon Simple Storage Service (Amazon S3) general purpose buckets in the Region. It also includes evaluating and monitoring the buckets for security and access control.
For more information, see [How Macie monitors Amazon S3 data security](monitoring-s3-how-it-works.md).
+ **Perform automated sensitive data discovery** – This includes monitoring and evaluating your S3 bucket inventory in the Region to identify S3 objects that are eligible for analysis. It also includes analyzing eligible objects and reporting sensitive data statistics, findings, and other types of results. To configure and manage this feature, you must be the Macie administrator for an organization or have a standalone Macie account. If you're a Macie administrator, you can use this feature to analyze objects in S3 buckets that your member accounts own.
For more information, see [How automated sensitive data discovery works](discovery-asdd-how-it-works.md).
For a list of Regions where Macie is currently available, see [Amazon Macie endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/macie.html) in the *AWS General Reference*.
The free trial runs for 30 consecutive days. You can’t pause it after it starts. After the free trial ends, charges begin to accrue for performing preventative control monitoring. Charges also begin to accrue for performing automated sensitive data discovery. If you’re the Macie administrator for an organization, charges accrue as applicable for each account in your organization. You can use Macie to review breakdowns of estimated usage costs for individual accounts in your organization.
**Notes**
During the free trial, you might incur charges for other AWS services that you use with certain Macie features—for example, using customer managed AWS KMS keys to decrypt S3 objects that you want to inspect for sensitive data.
The free trial doesn’t include analysis of S3 objects by sensitive data discovery jobs. You’ll incur charges if you create and run sensitive data discovery jobs that analyze more than 1 GB of uncompressed data during the free trial. (Macie provides a monthly free tier for sensitive data discovery. Each month, there’s no charge to analyze up to 1 GB of uncompressed data in S3 objects. After the first 1 GB of data, costs accrue.)
During the free trial, you can check the status of your trial and review estimated usage costs for your account. The cost estimates are based on your use of Macie thus far during the free trial. They can help you understand what some of your usage costs might be after the trial ends. For details about how Macie calculates these values, see [Understanding estimated usage costs](account-mgmt-costs-calculations.md).
**To check your status and estimated costs during the free trial**
Follow these steps to check the status of your trial and review your estimated usage costs by using the Amazon Macie console. To access this data programmatically, you can use the [GetUsageStatistics](https://docs.aws.amazon.com/macie/latest/APIReference/usage-statistics.html) operation of the Amazon Macie API.
1. Open the Amazon Macie console at [https://console.aws.amazon.com/macie/](https://console.aws.amazon.com/macie/).
1. By using the AWS Region selector in the upper-right corner of the page, choose the Region in which you want to check the status of your free trial and your estimated usage costs.
1. In the navigation pane, choose **Usage**.
The **Usage** page indicates the number of remaining days in your free trial. It also shows a breakdown of your estimated usage costs in US dollars (USD):
+ **Preventative control monitoring** – This is the total projected cost of maintaining an inventory of your S3 general purpose buckets, and evaluating and monitoring the buckets for security and access control after the free trial ends.
+ **Sensitive data discovery jobs** – This is the total estimated cost of any sensitive data discovery jobs that you ran. Sensitive data discovery jobs aren’t included in the free trial.
+ **Automated sensitive data discovery** – These are the total projected costs of performing automated sensitive data discovery after the free trial ends, broken down by pricing dimension—object monitoring and object analysis. To review these estimates on the console, you must be the Macie administrator for an organization or have a standalone Macie account.
If you’re the Macie administrator for an organization, the **Usage** page provides details about the accounts in your organization. In the table:
+ **Service quota – Jobs** – This is the current monthly quota for running sensitive data discovery jobs to analyze S3 objects in buckets that an account owns.
+ **Free trial** – These fields indicate whether an account is currently participating in the free trial for preventative control monitoring or automated sensitive data discovery. A **Free trial** field is empty if the applicable free trial has ended for an account.
+ **Total** – This is the total estimated cost for an account.
The **Estimated costs** section shows estimated costs for your organization overall. To review the breakdown of estimated costs for a specific account in your organization, choose the account in the table. The **Estimated costs** section then shows this breakdown. To show this data for another account, choose the account in the table. To clear your account selection, choose **X** next to the account ID.
**Notes**
If an account stores more than 150 TB of data in Amazon S3, the account's estimated and actual costs for automated sensitive data discovery might be higher than the cost projections that Macie provides during the 30-day free trial. This is because object analysis by automated sensitive data discovery is paused when 150 GB of uncompressed data has been analyzed for an account that's enrolled in the free trial. Object analysis resumes for the account after the free trial ends. For assistance forecasting costs for an account that stores more than 150 TB of data in Amazon S3, contact AWS Support.
To manage costs for automated sensitive data discovery after the free trial ends, you can exclude individual S3 buckets from subsequent analyses. If you’re the Macie administrator for an organization, an additional option is to selectively enable or disable automated sensitive data discovery for individual accounts in your organization. For information about these options, see [Configuring settings for automated sensitive data discovery](discovery-asdd-account-configure.md).