AWSAmazon CognitoSecurity

aws_cognito_user_pool cost estimation

A managed user directory for sign-up and sign-in. Priced per monthly active user (MAU) above a free tier, with the rate set by the feature tier.

An aws_cognito_user_pool is a hosted user directory: sign-up, sign-in, MFA, federation, and token issuance, without you running an identity service. Cognito's pricing changed to the tiered model (Lite, Essentials, Plus), and the cost driver is monthly active users (MAU) above the free allowance. A user counts as active in a month if they perform any identity operation (sign-in, token refresh, password change).

The default tier for new pools is Essentials, which includes a free allowance and then bills per MAU beyond it. A pool with 100,000 active users on Essentials, with 10,000 free, bills 90,000 MAU at the Essentials rate. The Plus tier adds advanced security (compromised-credential detection, adaptive auth) at a higher per-MAU rate; Lite is the cheapest with fewer features.

c3x prices the pool from the active-user count you supply in c3x-usage.yml, applying the tier rate above the free allowance. MAU is inherently a runtime figure, so without usage input the standing cost is zero. App clients, identity providers, and resource servers attached to the pool are free and don't add to the estimate.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_cognito_user_pool" "users" {
  name = "app-users"

  password_policy {
    minimum_length    = 12
    require_numbers   = true
    require_symbols   = true
    require_uppercase = true
  }

  mfa_configuration = "OPTIONAL"

  account_recovery_setting {
    recovery_mechanism {
      name     = "verified_email"
      priority = 1
    }
  }
}

Pricing dimensions

What you actually pay for when you provision aws_cognito_user_pool.

DimensionUnitWhat's being charged
Monthly active users (Essentials)per MAUActive users above the free allowance, billed at the Essentials tier rate. A user is active if they perform any identity operation in the month. Usage-based.
$0.015/MAU above the first 10,000
Monthly active users (Plus)per MAUHigher per-MAU rate for the Plus tier, which adds advanced security (threat protection, adaptive auth).
$0.020/MAU above the free allowance
Machine-to-machine (M2M) tokensper token / per app clientM2M app clients and token requests for service-to-service auth bill separately. Usage-based.

Sample C3X output

Example output from c3x estimate with 100,000 MAU on Essentials supplied:

aws_cognito_user_pool.users
└─ Monthly active users (90,000 billable)   90,000  MAU    $1,350.00

OVERALL TOTAL                                                 $1,350.00

Optimization tips

Common ways to reduce aws_cognito_user_pool cost without changing the workload.

Pick the lowest tier that meets your security needs

25%+ per MAU

Plus adds threat protection and adaptive auth at a higher per-MAU rate. If you don't use those features, Essentials (or Lite for minimal needs) is materially cheaper at scale.

Don't keep dormant users active

Variable

MAU counts anyone performing an operation. Background token refreshes from abandoned sessions can inflate MAU; tune refresh-token lifetimes so truly inactive users don't count.

Consider federation for large external user bases

Workload-dependent

Federating to an external IdP (social, SAML) can shift some identity load, though federated users still count as MAU. Model the real active count before assuming savings.

FAQ

How does c3x estimate Cognito User Pool cost?

It prices monthly active users above the free allowance at the tier rate (Essentials by default). MAU is a runtime figure, so c3x reads it from c3x-usage.yml; with no usage supplied the standing cost is zero.

What counts as a monthly active user?

Any user who performs an identity operation in the calendar month, such as signing in, refreshing a token, or changing a password. A user who does nothing in a month is not billed.

Which pricing tier does c3x assume?

Essentials, the default for new user pools. You can model Plus or Lite by setting the tier in the usage file; c3x applies the corresponding per-MAU rate.

Are app clients and identity providers charged?

No. App clients, resource servers, identity providers, and user groups attached to the pool are free. Only active users (and M2M tokens, separately) drive cost.

Why does the estimate show $0 with no usage file?

Cost is purely per active user, which c3x can't know from Terraform alone. Supply the expected MAU in c3x-usage.yml to get a real number.

Related resources

AWS
aws_secretsmanager_secret

Storing app credentials and signing keys used alongside Cognito

AWS
aws_lambda_function

Cognito triggers (pre-signup, post-auth) run as Lambda functions

AWS
aws_api_gateway_rest_api

APIs commonly authorized by a Cognito user pool

Estimate this resource in your own Terraform

Free, open source, no API key. C3X parses your Terraform and shows line-item cost for every resource, including aws_cognito_user_pool.

Get StartedStar on GitHub
← Browse all AWS resources