Amazon Macie quotas - Amazon Macie

Amazon Macie quotas

Your AWS account has certain default quotas, formerly referred to as limits, for each AWS service. These quotas are the maximum number of service resources or operations for your account. This topic lists the quotas that apply to Amazon Macie resources and operations for your account. Unless otherwise noted, each quota applies to your account in each AWS Region.

Some quotas can be increased, while others cannot. To request an increase to a quota, use the Service Quotas console. To learn how to request an increase, see Requesting a quota increase in the Service Quotas User Guide. If a quota isn't available on the Service Quotas console, use the service limit increase form in AWS Support Center to request an increase to the quota.

Accounts

  • Member accounts by invitation: 1,000

  • Member accounts through AWS Organizations: 5,000

Findings

  • Findings per run of a sensitive data discovery job: 100,000 + 5% of the Amazon S3 objects in the job

    This quota applies only to the Amazon Macie console and the Amazon Macie API. There isn't a quota for the number of finding events that Macie publishes to Amazon EventBridge or the number of sensitive data discovery results that Macie creates for each run of a job.

  • Detection locations per sensitive data finding: 15

  • Filter and suppression rules per account: 1,000

Sensitive data discovery

  • Monthly sensitive data discovery per account: 5 TB

    This quota is adjustable. To increase the quota to as much as 1,000 TB (1 PB), use the Service Quotas console to request the increase. To request an increase for more than 1 PB, use the service limit increase form to request the increase.

  • Amazon S3 buckets per sensitive data discovery job: 1,000. If your account is the Macie administrator account for an organization, the buckets can span as many as 1,000 accounts in your organization.

    This quota applies to a job only if you configure the job to analyze specific buckets that you select. It doesn't apply to jobs that use run-time bucket criteria to determine which buckets to analyze.

  • Custom data identifiers per sensitive data discovery job: 30

  • Size of an individual file to analyze:

    • Adobe Portable Document Format (.pdf) file: 1,024 MB

    • Apache Avro object container (.avro) file: 8 GB

    • Apache Parquet (.parquet) file: 8 GB

    • GNU Zip compressed archive (.gz or .gzip) file: 8 GB

    • Microsoft Excel workbook (.xls or .xlsx) file: 512 MB

    • Microsoft Word document (.doc or .docx) file: 512 MB

    • Non-binary text file: 20 GB

    • TAR archive (.tar) file: 20 GB

    • ZIP compressed archive (.zip) file: 8 GB

    If a file is larger than the applicable quota, Macie doesn't analyze any data in the file.

  • Extraction and analysis of data in a compressed or archive file:

    • Storage size (compressed): 8 GB for a GNU Zip compressed archive (.gz or .gzip) file or ZIP compressed archive (.zip) file; 20 GB for a TAR archive (.tar) file

    • Nested archive depth: 10 levels

    • Extracted files: 1,000,000

    • Extracted bytes: 10 GB of data that uses a supported file type or storage format

    If the metadata for a compressed or archive file indicates that the file contains more than 10 nested levels or exceeds the applicable quota for storage size or extracted bytes, Macie doesn't extract or analyze any data in the file.

    If Macie begins to extract and analyze data in a compressed or archive file and subsequently determines that the file contains more than 1,000,000 files or exceeds the quota for extracted bytes, Macie stops analyzing data in the file and creates sensitive data findings and discovery results only for the data that was processed.

  • Analysis of nested elements in structured data: 256 levels per file

    This quota applies only to JSON (.json) and JSON Lines (.jsonl) files. If the nested depth of either type of file exceeds this quota, Macie doesn't analyze any data in the file.

  • Detection locations in sensitive data discovery results: 1,000 per sensitive data detection type

  • Detection of full names: 1,000 per file unless the file is an archive file. For an archive file, Macie detects and reports the total number of full names that were detected across individual files in the archive, for as many as 1,000 occurrences in each individual file.