Cognito User Pools
If you are using Cognito Identity to create a User Pool, you pay based on your monthly active users (MAUs) only. A user is counted as a MAU if, within a calendar month, there is an identity operation related to that user, such as sign-up, sign-in, token refresh, password change, or a user account attribute is updated. You are not charged for subsequent sessions or for inactive users within that calendar month.
There is separate pricing for users who sign in directly with their credentials from a User Pool and for users who sign in through an enterprise directory through SAML federation.
The Cognito Your User Pool feature has a free tier of 50,000 MAUs for users who sign in directly to Cognito User Pools and 50 MAUs for users federated through SAML 2.0 based identity providers. The free tier does not automatically expire at the end of your 12 month AWS Free Tier term, and it is available to both existing and new AWS customers indefinitely. Please note - the free tier pricing isn’t available for both Your User Pool feature and SAML or OIDC federation in the AWS GovCloud regions.
Users who sign in directly with their User Pool credentials or with social identity providers:
For users who sign in directly with their credentials from a User Pool or with social identity providers such as Apple, Google, Facebook and Amazon, there are volume-based pricing tiers for MAUs above the free tier, as shown in the table below.
The prices for the advanced security features for Amazon Cognito are in addition to the base prices for active users. For example, if you enable these advanced security features for a user pool with 100,000 monthly active users, your monthly bill would be $275 for the base price for active users ($0.0055 per MAU past the 50,000 free tier) plus $4,250 for the advanced security features ($0.05 per MAU for the first 50,000 plus $0.035 per MAU for the next 50,000) for a total of $4,525.
SMS messages for Multi-Factor Authentication
Separate pricing applies for sending SMS messages for Multi-Factor Authentication (MFA) and phone number verification. Amazon Cognito uses Amazon Simple Notification Service (SNS) to send SMS messages, and you can reference Amazon SNS pricing.
Use of the Federated Identities feature for authenticating users and generating unique identifiers is provided at no- charge.
Migrating Existing User Directories to Cognito User Pools:
Many organizations may have existing infrastructure for managing user identities, authentication and authorization, but maintaining and supporting these systems and keeping them up to date with evolving best security practices can be costly and time consuming.
Consequently, many organizations are looking to take advantage of cloud-based services to replace these existing systems and are looking for guidance and help to migrate them to the AWS cloud, which manages the heavy lifting for you so you can focus on running your business.