User pool feature plans - Amazon Cognito
Select a feature planFeatures by plan

User pool feature plans

Understanding the cost is a crucial step in preparing to implement Amazon Cognito user pools authentication. Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it.

User pools have a variety of features that you can turn on and off. For example, you can turn on multi-factor authentication (MFA) and turn off sign-in with third-party identity providers (IdPs). Some changes require you to switch your feature plan. The following characteristics of your user pool determine the cost that AWS bills you monthly for usage.

  • The features that you choose

  • The requests per second that your application makes to the user pools API

  • The number of users with authentication, update, or query activity in a month, also called monthly active users or MAUs

  • The number of monthly active users from third-party SAML 2.0 or OpenID Connect (OIDC) IdPs

  • The number of app clients and user pools that do client-credentials grants for machine-to-machine authorization

For the most current information about user pool pricing, see Amazon Cognito pricing.

Feature-plan selections apply to one user pool. Different user pools in the same AWS account can have different plan selections. You can't apply separate feature plans to app clients within a user pool. The default plan selection for new user pools is Essentials.

You can switch between feature plans at any time to fit the requirements of your applications. Some changes between plans require that you turn off active features. For more information, see Turning off features to change feature plans.

User pool feature plans
Lite

Lite is a low-cost feature plan for user pools with lower numbers of monthly active users. This plan is sufficient for user directories with basic authentication features. It includes sign-in features and the classic hosted UI, a slimmer, less-customizable version of managed login. Many newer features, like access-token customization and passkey authentication, aren't included in the Lite plan.

Essentials

Essentials has all of the latest user pool authentication features. This plan adds new options to your applications, whether your login pages are managed login or custom-built. Essentials has advanced authentication features like choice-based sign-in and email MFA.

Plus

Plus includes everything in the Essentials plan and adds advanced security features that protect your users. Monitor user sign-in, sign-up, and password-management requests for indicators of compromise. For example, user pools can detect whether users are signing in from an unexpected location or using a password that's been part of a public breach.

User pools with the Plus plan generate logs of user activity details and risk evaluations. You can apply your own usage and security analysis to these logs when you export them to external services.

Note

Previously, some user pool features were included in an advanced security features pricing structure. The features that were included in this structure are now under either the Essentials or Plus plan.

Topics

Select a feature plan

AWS Management Console

To choose a feature plan

  1. Go to the Amazon Cognito console. If prompted, enter your AWS credentials.

  2. Choose User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. Select the Settings menu and review the Feature plans tab.

  5. Review the features available to you in the Lite, Esssentials, and Plus plans.

  6. To change your plan, select Switch to Essentials, or Switch to Plus. To switch to the Lite plan, choose Other plans, then Compare with Lite.

  7. On the next screen, review your choice and select Confirm.

CLI/API/SDK

The CreateUserPool and UpdateUserPool operations set your feature plan in the UserPoolTier parameter. When you don't specify a value for UserPoolTier, your user pool defaults to Essentials. If you set AdvancedSecurityMode to AUDIT or ENFORCED, your user pool tier must be PLUS and default to PLUS when not specified.

See Examples in CreateUserPool for syntax. See See Also in CreateUserPool for links to this function in of AWS SDKs for a variety of programming languages.

"UserPoolTier": "PLUS"

In the AWS CLI, this option is --user-pool-tier argument.

--user-pool-tier PLUS

See create-user-pool and update-user-pool in the AWS CLI command reference for more information.

Features by plan

Features and plans in user pools
Feature Description Feature plan
Protect against unsafe passwords Check plaintext passwords for indicators or compromise at runtime Plus
Protect against malicious sign-in attempts Check session properties for indicators of compromise at runtime Plus
Log and analyze user activity Generate logs of user authentication session properties and risk scores Plus
Export user activity logs Push user session and risk logs to an external AWS service Plus
Customize managed login pages with a visual editor Use a visual editor in the Amazon Cognito console to apply branding and style to your managed login pages Essentials + Plus
MFA with email one-time codes Request or require local users to provide an additional email message sign-in factor after username authentication Essentials + Plus
Customize access token scopes and claims at runtime Use a Lambda trigger to extend the authorization capabilities of user pool access tokens Essentials + Plus
Passwordless sign-in with one-time codes Permit users to receive a one-time password by email or SMS as their first authentication factor Essentials + Plus
Passkey sign-in with hardware or software FIDO2 authenticators Permit users to use a cryptographic key stored on a FIDO2 authenticator as their first authentication factor Essentials + Plus
Sign-up and sign-in Lite + Essentials + Plus
User groups Lite + Essentials + Plus
Sign-in with social, SAML, and OIDC providers Provide users with the options to sign in directly or with their preferred provider. Lite + Essentials + Plus
OAuth 2.0 and OIDC authorization server Lite + Essentials + Plus
Managed login pages Lite + Essentials + Plus
Password, custom, refresh-token, and SRP authentication Prompt users for a username and password in your application. Lite + Essentials + Plus
Machine-to-machine (M2M) with client credentials Lite + Essentials + Plus
API authorization with resource servers Lite + Essentials + Plus
User import Lite + Essentials + Plus
MFA with authenticator apps and SMS one-time codes Request or require local users to provide an additional SMS message or authenticator app sign-in factor after username authentication Lite + Essentials + Plus
Customize ID token scopes and claims at runtime Use a Lambda trigger to extend the authentication capabilities of user pool identity (ID) tokens Lite + Essentials + Plus
Custom runtime actions with Lambda triggers Customize the sign-in process at runtime with Lambda functions that perform external actions and influence authentication Lite + Essentials + Plus
Customize managed login pages with CSS Download a CSS template and change some styles in your managed login pages Lite + Essentials + Plus