Forecasting and monitoring Amazon Macie costs - Amazon Macie

Forecasting and monitoring Amazon Macie costs

To help you forecast and monitor your costs for using Amazon Macie, Macie calculates and provides estimated usage costs for your account. With this data, you can determine whether to adjust your use of the service or your account quotas.

You can review your estimated usage costs on the Amazon Macie console and access them programmatically with the Amazon Macie API. If you’re the Macie administrator for an organization, you can review and access both aggregated data for your organization and breakdowns of the data for accounts in your organization.

If you’re currently participating in the 30-day free trial of Macie, you can use this data to estimate the cost of monitoring your Amazon Simple Storage Service (Amazon S3) data for security and access control after your free trial ends. You can also check the status of your trial.

In addition to the estimated usage costs that Macie provides, you can review and monitor your actual costs by using AWS Billing and Cost Management. AWS Billing and Cost Management provides features that are designed to help you track and analyze your costs for AWS services, and manage budgets for your account or organization. It also provides features that can help you forecast usage costs based on historical data. To learn more, see the AWS Billing and Cost Management User Guide.

Understanding how estimated usage costs are calculated

Amazon Macie pricing is based on two dimensions, preventative control monitoring and sensitive data discovery jobs.

Preventative control monitoring

These costs derive from maintaining your S3 bucket inventory and evaluating and monitoring your buckets for security and access control. You’re charged based on the total number of buckets that Macie can access for your account. The charges are prorated per day.

Sensitive data discovery jobs

These costs derive from running sensitive data discovery jobs to analyze S3 objects and report sensitive data in those objects. You’re charged based on the amount of uncompressed data that Macie analyzes in objects when you run a job. There’s no charge for objects that Macie can’t analyze for reasons such as use of an unsupported Amazon S3 storage class, use of an unsupported file or storage format, or permissions settings. For more information, see Discovering sensitive data.

Note that these costs are restricted by the monthly sensitive data discovery quota for your account. (The default quota is 5 TB of data.) If a job is running and the job’s analysis of eligible objects reaches this quota, Macie automatically pauses the job until you increase the quota or the next calendar month starts. If you’re a Macie administrator and you run a job to analyze data for a member account, Macie automatically pauses the job until the quota is increased for the member account or the next calendar month starts.

For detailed information and examples of usage costs, see Amazon Macie pricing.

When you use Macie to review your estimated usage costs, it’s important to understand how the cost estimates are calculated. Consider the following:

  • The estimates are reported in US Dollars and are for the current AWS Region only. If you use Macie in multiple Regions, the data isn’t aggregated for all the Regions in which you use Macie.

  • On the console, the estimates are inclusive for the current calendar month to date. If you query the data programmatically with the Amazon Macie API, you can choose an inclusive time range for the estimates. This can be a rolling time range of the preceding 30 days or the current calendar month to date.

  • The estimates don’t reflect all the discounts that might apply to your account. The exception is discounts that derive from Regional volume pricing tiers, as described in Amazon Macie pricing. If your account qualifies for this type of discount, the estimates reflect that discount.

    If you're the Macie administrator for an organization, the estimates don’t reflect combined usage volume discounts for your organization. For information about these discounts, see Volume discounts in the AWS Billing and Cost Management User Guide.

  • For preventative control monitoring, the estimate is based on the average daily cost for the applicable time range. The cost is prorated per day.

  • For sensitive data discovery jobs, the estimate is based on the amount of uncompressed data that your jobs have analyzed thus far during the applicable time range.

  • If you're the Macie administrator for an organization and you run jobs that analyze data for a member account, the estimated cost of those jobs is included in the estimate for the applicable member account. The estimated cost isn’t included in the estimate for your administrator account.

  • If your account is a member account in an organization and your Macie administrator runs jobs that analyze your data, the estimated cost of those jobs is included in the estimate for your account.

  • The estimates don’t include costs that you incur for using other AWS services with certain Macie features. For example, using customer managed, AWS KMS customer master keys (CMKs) to decrypt S3 objects that you want to inspect for sensitive data.

Also note that Macie provides a monthly free tier for sensitive data discovery jobs. Each month, there’s no charge for you to analyze up to 1 GB of data to discover and report sensitive data in S3 objects. If you analyze more than 1 GB of data during a given month, sensitive data discovery charges begin to accrue for your account after the first 1 GB of data. If you analyze less than 1 GB of data during a given month, the remaining allocation doesn't roll over to the next month. If your account is part of an organization, the free tier applies to each individual account in your organization. In other words, there’s no charge for each account in your organization to analyze up to 1 GB of data each month.

Reviewing estimated usage costs

To review your current estimated usage costs, you can use the Amazon Macie console or the Amazon Macie API. Both the console and the API provide estimated costs for Macie pricing dimensions:

  • Preventative control monitoring – This is the estimated cost of maintaining your S3 bucket inventory and evaluating and monitoring the buckets for security and access control.

  • Data discovery jobs – This is the estimated cost of the sensitive data discovery jobs that you ran.

The data is reported in US Dollars and applies only to the current AWS Region. If you use the console to review the data, the cost estimates are for the current calendar month to date (inclusively). If you query the data programmatically with the Amazon Macie API, you can specify an inclusive time range for the estimates, either a rolling time range of the preceding 30 days or the current calendar month to date.

Reviewing estimated usage costs on the Amazon Macie console

Follow these steps to review your estimated costs by using the Amazon Macie console.

To review your estimated usage costs on the console

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you want to review your estimated costs.

  3. In the navigation pane, choose Usage.

If you have a standalone account or your account is a member account in an organization, the Usage page displays a breakdown of the estimated usage costs for your account.

If you’re the Macie administrator for an organization, the Usage page lists accounts in your organization:

  • In the table, the Total field indicates the total estimated cost for each account.

  • The Estimated costs section shows the total estimated cost for your organization and a breakdown of those costs by pricing dimension.

To review the breakdown of estimated costs for a specific account in your organization, choose the account in the table. The Estimated costs section then shows this breakdown. To show this data for another account, choose the account in the table. To clear your account selection, choose X next to the account ID.

Querying estimated usage costs programmatically with the Amazon Macie API

To query your estimated usage costs programmatically, you can use the following operations of the Amazon Macie API:

  • GetUsageTotals – This operation returns total estimated usage costs for your account, grouped by usage metric. If you’re the Macie administrator for an organization, this operation returns aggregated cost estimates for all the accounts in your organization. To learn more about this operation, see Usage Totals in the Amazon Macie API Reference.

  • GetUsageStatistics – This operation returns usage statistics and related data for your account, grouped by account and then by usage metric. The data includes total estimated usage costs, current account quotas, and, if applicable, the date and time when the 30-day free trial started. If you’re the Macie administrator for an organization, this operation returns a breakdown of the data for all the accounts in your organization. You can customize your query by sorting and filtering the query results. To learn more about this operation, see Usage Statistics in the Amazon Macie API Reference.

When you use either operation, you can optionally specify an inclusive time range for the data. This time range can be a rolling time range of the preceding 30 days (PAST_30_DAYS) or the current calendar month to date (MONTH_TO_DATE). If you don’t specify a time range, Macie returns the data for the preceding 30 days.

The following examples show you how to query estimated usage costs and statistics by using the AWS Command Line Interface (AWS CLI). You can also query the data by sending HTTPS requests directly to Macie, or by using a current version of another AWS command line tool or an AWS SDK. For information about AWS tools and SDKs, see Tools to Build on AWS.

Example 1: Querying total estimated usage costs

To query total estimated usage costs by using the AWS CLI, run the get-usage-totals command and optionally specify a time range for the data. For example:

C:\> aws macie2 get-usage-totals --time-range MONTH_TO_DATE

Where MONTH_TO_DATE specifies the current calendar month to date as the time range for the data.

If the command runs successfully, you receive output similar to the following.

{ "timeRange": "MONTH_TO_DATE", "usageTotals": [ { "currency": "USD", "estimatedCost": "153.45", "type": "SENSITIVE_DATA_DISCOVERY" }, { "currency": "USD", "estimatedCost": "10.50", "type": "DATA_INVENTORY_EVALUATION" } ] }

Where estimatedCost is the total estimated usage cost for the associated usage metric (type): SENSITIVE_DATA_DISCOVERY, for analyzing S3 objects to detect sensitive data; and, DATA_INVENTORY_EVALUATION, for monitoring and evaluating S3 buckets for security and access control.

Example 2: Querying usage statistics

To query usage statistics by using the AWS CLI, run the get-usage-statistics command. You can optionally sort, filter, and specify a time range for the query results. The following example retrieves usage statistics for a Macie administrator account for the preceding 30 days. The results are sorted in ascending order by account ID.

For Linux, macOS, or Unix, using the backslash (\) line-continuation character to improve readability:

$ aws macie2 get-usage-statistics \ --sort-by '{"key":"accountId","orderBy":"ASC"}' \ --time-range PAST_30_DAYS

For Microsoft Windows, using the caret (^) line-continuation character to improve readability:

C:\> aws macie2 get-usage-statistics ^ --sort-by={\"key\":\"accountId\",\"orderBy\":\"ASC\"} ^ --time-range PAST_30_DAYS

Where PAST_30_DAYS specifies the preceding 30 days as the time range for the data.

If the command runs successfully, Macie returns a records array. The array contains an object for each account that’s included in the query results. For example:

{ "records": [ { "accountId": "111122223333", "freeTrialStartDate": "2020-05-20T12:26:36.917000+00:00", "usage": [ { "currency": "USD", "estimatedCost": "94.53", "serviceLimit": { "isServiceLimited": false, "unit": "TERABYTES", "value": 50 }, "type": "SENSITIVE_DATA_DISCOVERY" }, { "currency": "USD", "estimatedCost": "6.35", "type": "DATA_INVENTORY_EVALUATION" } ] }, { "accountId": "444455556666", "freeTrialStartDate": "2020-05-18T16:26:36.917000+00:00", "usage": [ { "currency": "USD", "estimatedCost": "153.45", "serviceLimit": { "isServiceLimited": false, "unit": "TERABYTES", "value": 50 }, "type": "SENSITIVE_DATA_DISCOVERY" }, { "currency": "USD", "estimatedCost": "10.50", "type": "DATA_INVENTORY_EVALUATION" } ] } ], "timeRange": "PAST_30_DAYS" }

Where estimatedCost is the total estimated usage cost for the associated usage metric (type) for an account: SENSITIVE_DATA_DISCOVERY, for analyzing S3 objects to detect sensitive data; and, DATA_INVENTORY_EVALUATION, for monitoring and evaluating S3 buckets for security and access control.

Participating in the free trial

When you enable Amazon Macie for the first time, your Amazon Web Services account is automatically enrolled in the 30-day free trial of Macie. This includes individual accounts that are enabled as part of an AWS organization.

During the free trial, there’s no charge for using Macie in a specific AWS Region to generate and maintain an inventory of your Amazon S3 buckets and to evaluate and monitor the buckets for security and access control. The applicable Region is the Region that’s active when you enable Macie for your account. Although you can use Macie in most Regions, your account is eligible for the free trial in only one Region.

Note

The free trial doesn’t include discovery of sensitive data. This means that you’ll incur charges if you create and run sensitive data discovery jobs that analyze more than 1 GB of data during the free trial. (Macie provides a monthly free tier for jobs. Each month, there’s no charge for you to analyze up to 1 GB of data in S3 objects. After the first 1 GB of data, costs accrue.) You might also incur charges for other AWS services that you use with certain Macie features—for example, using customer managed, AWS KMS customer master keys (CMKs) to decrypt S3 objects that you want to inspect for sensitive data.

After the 30-day free trial ends, charges begin to accrue for maintaining your S3 bucket inventory and evaluating and monitoring your buckets for security and access control.

To check your status and estimated costs during the free trial

During the free trial, you can check the status of your trial and review estimated usage costs for your account. The cost estimates are based on your use of Macie thus far during the free trial. They can help you understand what some of your usage costs might be after the free trial ends. For details about how Macie calculates these values, see Understanding how estimated usage costs are calculated.

Follow these steps to review this data on the Amazon Macie console. You can also access this data programmatically by using the GetUsageStatistics operation of the Amazon Macie API.

  1. Open the Macie console at https://console.aws.amazon.com/macie/.

  2. By using the AWS Region selector in the upper-right corner of the page, select the Region in which you enrolled in the free trial.

  3. In the navigation pane, choose Usage.

The Usage page indicates the number of remaining days in your free trial. It also shows a breakdown of your estimated usage costs in US Dollars:

  • Preventative control monitoring – This is the total projected cost of maintaining your S3 bucket inventory and evaluating and monitoring your buckets for security and access control after the free trial ends.

  • Data discovery jobs – This is the total estimated cost of any sensitive data discovery jobs that you ran. Sensitive data discovery isn’t included in the free trial.

If you’re the Macie administrator for an organization, the Usage page provides details about all the Macie accounts in your organization:

  • In the table, the Free trial field indicates whether an account is currently participating in the free trial. (This field is empty if the free trial has ended for an account.) The Total field indicates the total estimated cost for each account.

  • The Estimated costs section shows estimated costs for your organization overall.

To review the breakdown of estimated costs for a specific account in your organization, choose the account in the table. The Estimated costs section then shows this breakdown. To show this data for another account, choose the account in the table. To clear your account selection, choose X next to the account ID.