Pricing overview
With Amazon Cognito, you pay only for what you use. There are no minimum fees and no upfront commitments. Amazon Cognito charges for identity management and data synchronization, and the pricing for these features are described below.
Amazon Cognito offers you three pricing tiers to choose from when configuring your user pools, each priced based on your usage:
- Lite provides basic user registration, authentication, and management capabilities, including social identity and SAML/OIDC provider integration, and password-based authentication. Lite is targeted for value-oriented use-cases. It includes all Cognito user pool capabilities (without advanced security features) available before November 22, 2024.
- Essentials offers comprehensive and flexible user authentication and access control features, allowing customers to implement secure, scalable, and customized sign-up and sign-in experiences for their application within minutes. It includes all capabilities in Lite along with supporting Managed Login and passwordless login options using passkeys, email, or SMS. Essentials also supports customizing access tokens and disallowing password reuse.
- Plus is geared toward customers with elevated security needs for their applications by offering threat protection capabilities against suspicious log-ins. It includes all Essentials tier features and additionally supports risk-based adaptive authentication, compromised credentials detection, and exporting user authentication event logs to analyze threat signals.
Additionally, Cognito supports machine-to-machine (M2M) authorization and higher requests per second (RPS) as add-ons, each priced based on your usage.
Note:
- Essentials will be the default tier for new users pools created by customers. Customers have the flexibility to switch their user pools between the Lite, Essentials, or Plus tiers anytime based on their application needs.
- Customers are eligible to upgrade their user pools without advanced security features (ASF) in their existing accounts to Essentials and pay the same price as Cognito user pools until November 30, 2025. To be eligible, customers' accounts must have had at least 1 monthly active user (MAU) in the last 12 months on or before 10:00am Pacific Time, November 22, 2024. These customers are also eligible to create new user pools with Essentials tier at the same price as Cognito users pools in those accounts until November 30, 2025.
- Customers with ASF enabled in their user pools will continue paying based on the existing Cognito ASF price. Customers using ASF in Amazon Cognito should consider the Plus tier, which includes all ASF capabilities, additional capabilities such as passwordless log-in, and up to 60% savings compared to using ASF.
Free Tier
Amazon Cognito Essentials and Lite have a free tier. The free tier does not automatically expire at the end of your 12-month AWS Free Tier term, and it is available to both existing and new AWS customers indefinitely. Please note - the free tier pricing isn’t available in the AWS GovCloud (US-West) region.
1. For users who sign in directly via Amazon Cognito or through a social identity provider, Amazon Cognito user pools has a free tier of 10,000 monthly active user (MAU) per month per account or per AWS organization. This free tier is applicable for customers that configure their user pools to either the Lite or Essentials tier. There is no free tier for the Plus tier.
2. For users federated through SAML 2.0 or an OpenID Connect (OIDC) identity provider, Amazon Cognito user pools has a free tier of 50 MAUs per month per account or per AWS organization regardless of your user pool pricing tier configuration.
3. There is no free tier for app clients or token requests when Cognito is used for the machine-to-machine use case.
4. Use of Amazon Cognito identity pools for authenticating users and generating unique identifiers is provided at no charge.
To learn more about AWS Free Tier, refer to the FAQs (https://aws.amazon.com/free/free-tier-faqs/)
Pricing table for Amazon Cognito tiers
-
Essentials
-
Plus
-
Lite
-
Essentials
-
You pay for Amazon Cognito Essentials based on monthly active users (MAUs) in your user pool configured with pricing tier of Essentials. A user is counted as Essentials MAU if the user is active at least once in a month when the user pool pricing tier is configured as Essentials and was never active when the user pool was configured as Plus.
Essentials will be the default tier for new users pools created by customers. Customers have the flexibility to switch their user pools between the Lite, Essentials, or Plus tiers anytime based on their application needs.
Note: Customers are eligible to upgrade their user pools without advanced security features (ASF) in their existing accounts to Essentials and pay the same price as Cognito user pools until November 30, 2025. To be eligible, customers' accounts must have had at least 1 MAU in the last 12 months on or before 10:00am Pacific Time, November 22, 2024. These customers are also eligible to create new user pools with Essentials tier at the same price as Cognito users pools in those accounts until November 30, 2025.
There is separate pricing for users who sign in directly with their credentials from a user pool (includes social identity providers) and for users who sign in through an enterprise directory with SAML federation. For users who sign in through SAML or OIDC federation, the price for MAUs above the 50 MAU free tier is $0.015. This is the same pricing as previously listed before November 22, 2024. For users who sign in directly with their credentials from a user pool (includes social identity providers), their price per MAU is listed in the table below.
SMS messages for Multi-Factor Authentication (MFA)
Separate pricing applies for sending SMS messages for Multi-Factor Authentication (MFA), user registration, password recovery, and phone number verification. Amazon Cognito uses Amazon Simple Notification Service (SNS) to send SMS messages, and you can reference Amazon SNS pricing.
Email messages for user verification
Separate pricing applies for sending email messages for user registration, password recovery, and email address verification. Amazon Cognito uses Amazon Simple Email Service (SES) to send email messages, and you can reference Amazon SES pricing.
-
Example 1: Your user pool is configured with Amazon Cognito Essentials as pricing tier
If your Cognito user pool has 950,000 MAUs and all MAUs sign-in directly or via social identity providers, then your monthly bill will be computed as follows:
Total number of MAUs billed above the 10,000 MAU free tier = 950,000 – 10,000 = 940,000
Price / MAU charged above the free tier = $0.015
Total monthly bill = $0.015 x 940,000 = $14,100
Cognito Essentials MAU cost (monthly): $14,100
-
Example 2: Your user pool is configured with Amazon Cognito Essentials as pricing tier and you have active users signing in via SAML/OIDC federation.
If your Cognito user pool has 950,000 MAUs and out of these MAUs, 945,000 MAUs sign-in directly or via social identity providers, and 5,000 MAUs sign-in via SAML/OIDC federation, then your monthly bill will be computed as follows:
Bill for users signing-in directly or via social identity providers
Total number of MAUs billed above the 10,000 MAU free tier = 945,000 – 10,000 = 935,000
Price / MAU charged above the free tier for Essentials tier = $0.015
Monthly bill = $0.015 x 935,000 = $14,025
Bill for users signing-in via SAML/OIDC providers
Total number of MAUs billed above the 50 MAU free tier = 5,000 - 50 = 4,950
Price / MAU charged above the free tier for login via SAML/OIDC providers = $0.015
Monthly bill = $0.015 x 4,950 = $74.25
Total Cognito monthly bill = $14,025 + $74.25 = $14,099.25
-
-
Plus
-
You pay for Amazon Cognito Plus based on monthly active users (MAUs) in your user pool configured with pricing tier of Plus. A user is counted as Plus MAU if the user is active at least once in a month when the user pool pricing tier is configured as Plus.
Note: Customers with accounts using Amazon Cognito user pools configured with Advanced Security Features (ASF) can save up to 60% on their monthly bill by configuring their user pool with Plus pricing tier.
There is separate pricing for users who sign in directly with their credentials from a user pool (includes social identity providers) and for users who sign in through an enterprise directory with SAML federation. For users who sign in through SAML or OIDC federation, the price for MAUs above the 50 MAU free tier is $0.015. This is the same pricing as previously listed before November 22, 2024. For users who sign in directly with their credentials from a user pool (includes social identity providers), their price per MAU is listed in the table below.
SMS messages for Multi-Factor Authentication (MFA)
Separate pricing applies for sending SMS messages for Multi-Factor Authentication (MFA), user registration, password recovery, and phone number verification. Amazon Cognito uses Amazon Simple Notification Service (SNS) to send SMS messages, and you can reference Amazon SNS pricing.
Email messages for user verification
Separate pricing applies for sending email messages for user registration, password recovery, and email address verification. Amazon Cognito uses Amazon Simple Email Service (SES) to send email messages, and you can reference Amazon SES pricing.
-
Example: Your user pool is configured with Amazon Cognito Plus as pricing tier
If your Cognito user pool has 950,000 MAUs and all MAUs sign-in directly or via social identity providers, then your monthly bill will be computed as follows:
Total number of MAUs billed above the 0 MAU free tier = 950,000 – 0 = 950,000
Price / MAU charged above the free tier = $0.020
Total monthly bill = $0.020 x 950,000 = $19,000
Cognito Plus MAU cost (monthly): $19,000
-
-
Lite
-
You pay for Amazon Cognito Lite based on monthly active users (MAUs) in your user pool configured with pricing tier of Lite. A user is counted as Lite MAU if the user is active at least once in a month when the user pool pricing tier is configured as Lite and was never active when the user pool was configured as Essentials or Plus.
Note:
- Customers with existing user pools created on or before 10:00am Pacific Time, November 22, 2024 will continue having a free tier of first 50,000 MAUs. Advanced Security Features (ASF) will continue to be priced separately and will not have a free tier, just like it has been priced previously.
- Additionally, customers are eligible to create new user pools with Lite tier in their existing accounts and count those MAUs against the free tier of first 50,000 MAUs. To be eligible, customers' accounts must have had at least 1 MAU in the last 12 months on or before 10:00am Pacific Time, November 22, 2024.
There is separate pricing for users who sign in directly with their credentials from a user pool (includes social identity providers) and for users who sign in through an enterprise directory with SAML federation. For users who sign in through SAML or OIDC federation, the price for MAUs above the 50 MAU free tier is $0.015. This is the same pricing as previously listed before November 22, 2024. For users who sign in directly with their credentials from a user pool (includes social identity providers), their price per MAU is listed in the table below. With the exception of free tier MAUs, the price per MAU is the same as previously listed for Cognito user pools before November 22, 2024. Refer to Notes (1) and (2) on scenarios where customers continue to have a free tier of 50,000 MAUs.
Advanced Security FeaturesIf you enable advanced security features for Amazon Cognito, additional prices apply for monthly active users as shown in the table below. This includes audit mode. ASF pricing is the same as the pricing was listed before November 22, 2024.
Advanced security features include compromised credentials detection, adaptive authentication, advanced security metrics, and access token customization. If you enable advanced security features for Amazon Cognito, additional prices apply for monthly active users as shown in the table below. This includes audit mode. **Advanced security features isn't available in the AWS GovCloud (US-West) region**.
The prices for the advanced security features for Amazon Cognito are in addition to the base prices for active users. For example, if you enable these advanced security features for a user pool with 100,000 monthly active users, your monthly bill would be $495 for the base price for active users ($0.0055 per MAU past the 10,000 free tier) plus $4,250 for the advanced security features ($0.05 per MAU for the first 50,000 plus $0.035 per MAU for the next 50,000) for a total of $4,745.
SMS messages for Multi-Factor Authentication (MFA)
Separate pricing applies for sending SMS messages for Multi-Factor Authentication (MFA), user registration, password recovery, and phone number verification. Amazon Cognito uses Amazon Simple Notification Service (SNS) to send SMS messages, and you can reference Amazon SNS pricing.
Email messages for user verification
Separate pricing applies for sending email messages for user registration, password recovery, and email address verification. Amazon Cognito uses Amazon Simple Email Service (SES) to send email messages, and you can reference Amazon SES pricing.
-
Example 1: Your user pool is configured with Amazon Cognito Lite as pricing tier
If your Cognito user pool has 950,000 MAUs and all MAUs sign-in directly or via social identity providers, then your monthly bill will be computed as follows:
Total number of MAUs billed above the 10,000 MAU free tier = 950,000 – 10,000 = 940,000
Tiered price for: 940,000 MAUs
90,000 MAUs x $0.0055 = $495
850,000 MAUs x $0.0046 = $3,910
Total monthly bill = $495 + $3,910 = $4,405
Cognito Lite MAU cost (monthly): $4,405
-
Example 2: Your user pool is configured with Amazon Cognito Lite as pricing tier with ASF enabled
If your Cognito user pool has 950,000 MAUs and all MAUs sign-in directly or via social identity providers, then your monthly bill will be computed as follows:
Total number of MAUs billed above the 10,000 MAU free tier = 950,000 – 10,000 = 940,000
Cognito Lite cost
Tiered price for: 940,000 MAUs
90,000 MAUs x $0.0055 = $495
850,000 MAUs x $0.0046 = $3,910
Total monthly bill = $495 + $3,910 = $4,405
Cognito Lite MAU cost (monthly): $4,405
ASF cost as add-on
Tiered price for: 950,000.00 MAUs
50,000 MAUs x $0.05 = $2,500
50,000 MAUs x $0.035 = $1,750
850,000 MAUs x $0.02 = $17,000
Total ASF cost per month: $2,500 + $1,750+ $17,000 = $21,250 (ASF MAUs)
Advanced security feature cost (monthly): 21,250 USD
Cognito MAU cost (monthly): $4,405 + $21,250 = $25,655
Compare Tiers
Features | Lite | Essentials | Plus |
---|---|---|---|
Basic capabilities for password-based authentication targeted for value-oriented use-cases. Additional capabilities requires customization | Core set of capabilities that enable seamless authentication for end-users such as passwordless login | Enhanced set of capabilities for applications with elevated security needs | |
40 million users or more |
Yes |
Yes |
Yes |
Sign-in with social, SAML, or OIDC providers |
Yes |
Yes |
Yes |
Sign-in with username and password |
Yes |
Yes |
Yes |
MFA with authenticator apps and SMS one-time codes |
Yes |
Yes |
Yes |
Custom runtime action with Lambda triggers | Yes | Yes | Yes |
Customize managed login page with CSS | Yes | Yes | Yes |
99.9% service level agreement | Yes | Yes | Yes |
Customize managed login page with visual editor | Yes | Yes | |
MFA with email one-time codes | Yes | Yes | |
Passwordless sign-in with one-time codes | Yes | Yes | |
Passkeys sign-in with biometrics and hardware keys | Yes | Yes | |
Protect against unsafe passwords | Yes | ||
Prevent reuse of previous passwords | Yes | Yes | |
Customize access token scopes and claims at runtime | Yes | Yes | |
Protect against malicious sign-in attempts | Yes | ||
Log and analyze threat profiles and user activity | Yes | ||
Risk-based adaptive authentication | Yes | ||
Compromised credentials detection | Yes | ||
Export threat profiles and user activity | Yes | ||
Machine-to-machine authorization | Add-on | Add-on | Add-on |
Higher API RPS quota | Add-on | Add-on | Add-on |
Pricing table for Amazon Cognito add-ons
-
API quotas
-
M2M authorization
-
Cognito Sync
-
API quotas
-
You can request higher requests per second (RPS) rates in Amazon Cognito for the API categories defined in the table below. To request increased RPS rates for one or more API categories, or for more information on the individual APIs in each API category, please refer to the documentation. RPS rate increases are subject to approval by AWS.
The prices for higher quotas are in addition to the base prices for monthly active users and any other features including Advanced Security Features. Minimum duration for higher quotas is 1 day.
Prices are per 1 RPS of incremental capacity over default quotas per month. Each API Category is charged separately.
-
Example: If you need an ongoing increment in quota for the User Authentication of 20 RPS indefinitely.
Monthly Cost = 20 RPS * (1 Month) * $20 per RPS-Month = $400.
On the other hand, if you need a partial month quota increase of 20 RPS for 7 days of a 30-day month:
One-time Cost = 20 RPS * (7/30) Month * $45 per RPS-Month = $210
-
-
M2M authorization
-
Amazon Cognito supports machine-to-machine (M2M) use cases using the OAuth 2.0 specification’s client credentials flow. You can use Amazon Cognito to set up your service (software or an API service represented as an “app client”), establish the app client credentials, and issue access tokens in exchange for these credentials (known as token requests). These access tokens can then be used to communicate with your services. You can configure the validity of the access token for each service. You can also determine token usage per app client.
Amazon Cognito charges you along two dimensions for the M2M authorization usage. You are charged monthly per app client, prorated by the second. You are also charged monthly per token request.
* Please contact your account team if you require over 2,500 app clients.
---
Q: Why is Amazon Cognito pricing for a machine-to-machine (M2M) use case?
A: Amazon Cognito supports an OAuth 2.0 client credentials flow, which can help secure machine-to-machine interactions. Amazon Cognito offers support for an M2M capability and it is being priced to better support continued growth and expand capabilities.
Q: Is there any change to Amazon Cognito pricing for monthly active users?
A: No, there is no change to Amazon Cognito’s pricing for monthly active users (MAUs).
Q: When will the Amazon Cognito pricing change for M2M support take effect?
A: This pricing change will not take effect until July 9, 2024. On and after July 9, 2024, you will be charged for your use of the M2M capability, unless you are using Amazon Cognito’s M2M capabilities under an exempted customer account.
Q: Which customer accounts are exempted from the pricing change and for how long?
A: Any AWS account that is configured for use with Amazon Cognito M2M before 12:01 AM UTC, May 9, 2024, the day of the pricing announcement, will be exempt from pricing until May 9, 2025. The exemption will be at the AWS account ID level. If your AWS account had an Amazon Cognito user pool configured for machine-to-machine use (OAuth 2.0 client credentials flow with a confidential app client) before May 9, 2024, then that AWS account will be exempt from pricing until May 9, 2025. Any new AWS account IDs and payer ids created and configured for Amazon Cognito’s M2M capabilities will not be charged until July 9, 2024.
Q: Which customer accounts will not be exempted from the pricing change, and when will these non-exempted accounts be charged for M2M use?
A: Any AWS account that starts using Amazon Cognito M2M for the first time on or after May 9, 2024, will not be charged for this feature until July 9, 2024, but will not be eligible for the 12-month exemption. After July 9, 2024, Amazon Cognito M2M usage for these accounts will be billed at standard pricing. Please note that this will apply even if you have other accounts that are eligible for the 12-month exemption.
Q: What specific usage will not be priced in the exempted accounts?
A: Any customer accounts that were already using Amazon Cognito M2M prior to May 9, 2024, will be exempt from pricing until May 9, 2025. This will apply to all M2M app clients and to token requests made to these app clients in the exempted accounts. We will exempt new M2M app clients created in these accounts after the launch of pricing until May 9, 2025. Both token requests and app clients in these accounts will be payable starting May 9, 2025.
Q: Can non-exempted customer accounts request to be added to the 12-month exemption?
A: No, non-exempted customer accounts cannot be added to the exemption.
Q: Can exempted customer accounts request an extension of the 12-month exemption?
A: No, we do not plan to extend the exemption beyond 12 months.
Q: What will my bill look like?
A: Customers who use this feature will see their current usage of token requests in each of their accounts in their bill. New app clients created will also appear in the bill. The existing app clients will show up in their bill once we complete data backfill.
-
Example: You have 10 app clients and each app client makes 500 requests a month. Each app client was used throughout the month. Your account in US East (N. Virginia) Region.
Total number of token requests in a month
- 500 requests x 10 app clients = 5,000 monthly token requests
Total number of app clients in a month
- 10 app clients
Total cost of M2M authorization
- $0.00225 x 5,000 token requests = $11.25 per month for token requests
- $6.00 x 10 app clients = $60.00 for app clients per month
Total cost = $71.25 per month
-
-
Cognito Sync
-
Monthly active user (MAU) computation
A user is counted as a MAU if, within a calendar month, customers’ application generates an identity operation for that user, like administrative creation or update, sign-up, sign-in, sign-out, token refresh, password change, a user account attribute update, or an attribute query on a user (AdminGetUser API). Customers are not charged for subsequent sessions or for inactive users within that calendar month. In a calendar month when a customer changes their User Pool pricing tier configuration to either Lite, Essentials, or Plus, the monthly bill will be computed as the sum of monthly active users (MAUs) in each tier with each distinct MAU being attributed to the highest-priced tier that was enabled during the user's activity.
- Lite MAU: A user that was active at least once in a month when the user pool pricing tier was configured as Lite and was never active when the user pool was configured as Essentials or Plus.
- Essentials MAU: A user is counted as Essentials MAU if the user is active at least once in a month when the user pool pricing tier is configured as Essentials and was never active when the user pool was configured as Plus.
- Plus MAU: A user that was active at least once in a month when the user pool pricing tier was Plus.