If you’re storing data in Amazon S3 (Simple Storage Service) buckets, it’s highly likely you’ve taken a look at Amazon Macie. If you’re new to the AWS ecosystem, Macie is a tool Amazon built to help S3 users discover, classify, and protect the sensitive data they store in their S3 instances.
On a positive note, offering a tool like Macie is a good thing as Amazon S3 users have had their fair share of challenges keeping their buckets (and the data within them) out of harm’s way. The visibility provided by Macie and similar toolsets is essential for security professionals looking to understand their risk footprint and where the data they need to protect actually resides. On the downside, however, the cost to actually use Amazon Macie may leave a sour taste in your mouth (as this user reported after racking up $60,000 worth of charges in just 24 hours).
Amazon Macie Pricing
Per Amazon’s website, the “Content Classification” component of Macie is priced as such:
“No charge for the first 1 GB processed by the content classification engine
After first GB, $5.00 per GB processed by the content classification engine”
Using 100GB as an example, that’s $495 for your initial scan. If your bucket grows 5GB the next month, that’s no problem. It’s just $25 because you already scanned the other 100GB last month. Let’s say you started in January and your bucket grows 5GB each month. That would mean your total annual cost for performing content classification scans against this bucket would be $495 + ($25*11) = $770. Not bad! But unfortunately, that’s not reality.
- Data (especially file data) is created at alarming rates and is rarely deleted (so it’s just going to keep growing and growing)
- Active data changes (so it’s going to need to be re-scanned)
- Requirements change and you’ll want to look for new things (which means you’ll have to scan it ALL again, every time)
- You’re probably going to have multiple buckets (so that $770 might begin to compound very quickly)
- Scan frequency matters (and once per month is probably not going to make you feel like you’re on top of what’s in these buckets)
So what’s your Amazon Macie alternative?
An Affordable Alternative to Amazon Macie
Stealthbits’ StealthAUDIT is an auditing, reporting, and governance platform supporting dozens of unstructured and structured data repositories, directories, and operating systems located both on-premises and in the cloud. For Amazon S3, StealthAUDIT provides a full-scale, automated solution that helps administrations understand how access has been configured to their S3 buckets and who has permissions to the data within them, who is accessing the data, which files contain sensitive data, and much more. And if you’re like every other organization on the planet and are using technologies other than Amazon S3, like on-premises network file shares, SharePoint and Exchange (on-prem or O365), Dropbox, Box, SQL, Azure SQL, and Oracle databases, StealthAUDIT allows you to aggregate all this access, activity, and sensitive data information into one place to get a global view into what any user or group has access to or who effectively can access any particular resource.
In comparison with Amazon Macie’s Content Classification, StealthAUDIT not only provides a broader set of capabilities for AWS in that it covers far more subject-matter (e.g. Users, Groups, Roles, Policies, Permissions, Content, Activity, and Sensitive Data), but it also provides substantial cost savings allowing organizations to scan even the largest datasets at high frequency for pennies on the dollar – literally. This makes StealthAUDIT one of the most affordable Amazon Macie Alternatives on the market today.
Cost Savings – Stealthbits StealthAUDIT vs. Amazon Macie
Depending on where Stealthbits’ scanner is deployed (and whether the data is being transferred out to the internet) costs per GB range from $0.02 – $0.09. See the “Data Transfer” tab on Amazon’s S3 pricing page.
Against that same 100GB dataset in our previous example, that’s a 98.2% – 99.6% reduction in content classification costs. The first 100GB would cost between $2.00 – $9.00, and if the results remained within the AWS ecosystem, you could scan a new 100GB every day for over a year (385 days to be exact) before exceeding the costs of the example discussed previously. That’s more like it!
To be clear, this is not a commentary on Amazon Macie as a technology. Amazon makes incredible technology that has and continues to change the world. But for organizations storing massive quantities of files in S3, the price to obtain adequate visibility into the content of those files becomes a real problem. Request a free trial of StealthAUDIT for AWS and we’ll help you see it with your own eyes!
Not long after this blog post was originally published (May 13, 2020 to be exact), Amazon released new pricing for Macie “that lowers the price by 80% to over 90% with volume discounting tiers.” You can read Amazon’s announcement or check out the updated Macie pricing on this page.
This is really good news, especially for organizations either storing small amounts of data (because it’ll be really cheap) or all of their files in AWS S3 Buckets (because it won’t matter that you need to do the same thing in all the other places files are stored, as Macie only works in AWS). One other big change is that you’ll also now be charged by the number of buckets you’re scanning if you want to assess their security and access controls. Right now that’s set at $0.10 per bucket per month. Unless you’ve got buckets in the thousands, the monthly costs shouldn’t be too exorbitant.
However, even with the price cut, StealthAUDIT for AWS remains at a minimum 92% less expensive than Macie at even the highest volume tier (Macie’s $0.25/GB @ over 500,000 GB/month versus StealthAUDIT’s $0.02/GB or less @ any volume.)
If we did the math at that volume (500,000 GB), that’d be $125,000/month with Macie (ouch!) and $10,000/month with StealthAUDIT. So with StealthAUDIT, you could scan all that data every month rather than once per year, and you’d still save $5,000. You’d also be able to view and control all of this data in the same place you do your Microsoft 365 data in SharePoint Online and OneDrive, your on-premises NAS devices, your databases, and dozens of other supported platforms. You could run Data Access Governance and Data Privacy workflows. You could monitor activity and detect threats with the context of data sensitivity, and much more.
Kudos to Amazon for reducing the price of this really important functionality. It should now undoubtedly be accessible to more AWS users than it was previously. For organizations seeking a more robust and still significantly more cost-effective solution, give us a shout and we’ll be glad to help you out.
Adam Laub is STEALTHbits Technologies’ Chief Marketing Officer (CMO). As CMO, Adam is responsible for corporate marketing, communications and AR/PR, demand generation, product marketing, events, and marketing operations. Additionally, he and his team participate heavily in setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization, and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, Product Management, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.