A Simple Guide to AWS Cognito Pricing
We sometimes see people explore AWS Cognito as an auth solution. In many cases, we see them struggle to make sense of the pricing. What does this even cost, we'll hear. This is my best effort to make things make sense. Be aware that this guide may drift out of date over time; please drop me a note if you notice issues.
So what is AWS Cognito?
Cognito is an AWS service that you can use to handle auth and user management for web applications. Among other things, you can use it to log users in and to manage users' access in your applications. It's just one of many (and I mean many) different services that AWS offers.
How does AWS Cognito pricing work?
If you use AWS Cognito, there are three main drivers of your monthly bill:
- The pricing tier (i.e., the core bundle of features) you choose
- The number of monthly active users (MAUs) you have.
- Any add-on features you opt into
So let's start with the pricing tiers that Cognito has.
AWS Cognito pricing tiers, explained
What's in each pricing tier?
There are three core pricing tiers for AWS Cognito: Lite, Essentials, and Plus. Here's a simplified summary of some of the features.
| Feature | Lite | Essentials | Plus |
|---|---|---|---|
| Basic auth | ✔️ | ✔️ | ✔️ |
| Social login | ✔️ | ✔️ | ✔️ |
| OIDC | ✔️ | ✔️ | ✔️ |
| SAML | ✔️ | ✔️ | ✔️ |
| Basic MFA | ✔️ | ✔️ | ✔️ |
| Advanced MFA | ✔️ | ✔️ | |
| Extra login page customization | ✔️ | ✔️ | |
| Custom access tokens | ✔️ | ✔️ | |
| Extra security features | ✔️ |
This is, of course, a simplification. But hopefully it illustrates some of what's going on.
How much does each tier cost?
I wish I could just give you a single price per monthly active user (MAU) for each tier. Regrettably, Cognito doesn't work that way. It's complicated.
Let's start by distinguishing two different kinds of users: first, users that log in using SAML/OIDC identity federation; second, users that log in using any other method.
Users on SAML/OIDC identity federation
Pricing works a little differently for Cognito users that log in via SAML/OIDC. On each tier, you get your first 50 SAML/OIDC users for free, and then you have to pay $0.015 per MAU for your 51st MAU onward.
| Lite | Essentials | Plus | |
|---|---|---|---|
| First 50 MAUs | $0.000 | $0.000 | $0.000 |
| All other users | $0.015 | $0.015 | $0.015 |
Users not on SAML/OIDC identity federation
Different rates apply to users that aren't using SAML/OIDC for login.
| Lite | Essentials | Plus | |
|---|---|---|---|
| First 10,000 MAUs | $0.000 | $0.000 | $0.000 |
| All other users | Up to $0.005* | $0.015 | $0.020 |
Note: volume discounts apply to the Lite tier. Additionally, prices vary a bit depending on the Region that you're using. I'm simplifying things here on purpose.
AWS Cognito pricing add-ons
There are a bunch of other things you can pay for. I'll try to cover them quickly.
API quotas
You can pay for elevated requests per second for the different APIs that AWS Cognito exposes. For example, you can pay $20.00/mo for an additional 1 RPS over the default capacity.
M2M authorization
If you want to set up your software as an OAuth "app client," you'll pay AWS depending on the number of token requests and app clients you have in a month.
SMS and email
If you're sending SMS messages or emails as part of your auth flow, you'll have the option of paying for those services separately. You'll need to look into AWS's pricing schedules for SMS and email.
AWS Cognito pricing calculator
Okay, so this all gets kind of confusing. Once you have a handle on what I've just laid out, I highly recommend toying with the Cognito pricing calculator.
What do developers say about AWS Cognito?
Pricing isn't the only story here. You'll need to evaluate whether Cognito's the right solution in the first place. Because I'm a little biased, here are some comments from developers on public forums.
Reddit: If you've got funding or the cashflow, save yourself the headache and pay for a better service that works out of the box.
Reddit: I'd say Cognito is worth avoiding for any real product. It has too many issues for any customer-facing experience.
Hacker News: it's a complex poorly documented pile of [expletive].
Hacker News: I think vanilla Cognito doesn’t do a very good job of delivering you something that actually works out of the box with no footguns - you still have to handroll a lot of stuff.
Hacker News: Every year or so I check back in to see if Cognito has gotten any better. I hasn't. I'd love to use it, but some very basic things are just not done correctly.
Reddit: Avoid Cognito like the plague. With my start up I tried to use Cognito and it was like swimming up hill.
What's the consensus? Cognito looks like it'll work nicely at first glance. And if you work through the complex pricing math, you'll find that it's cheaper than some alternatives. But be aware that you are not signing up for a pleasant developer experience; things are likely to be more time-consuming and clunky than you expect!
What are some good alternatives to AWS Cognito?
There are an awful lot of better options out there. I'd encourage you to consider your options! Here's a quick overview of some of your options:
-
Best for B2B / Enterprise: Tesseral is open source (MIT) user management built specifically for B2B apps. It includes everything you need for B2B applications, like fine-grained access control and API key authentication. An unusual plus: you can run it anywhere you can run kubernetes, including in airgapped or denied environments.
-
Best for Consumer: Clerk is a component-first auth service tightly aligned to the Next.js web framework. It's a great option if you're working on front-end heavy consumer applications, but it's missing a few features you need in enterprise applications.
-
Most established: Auth0 is an Okta property that's been around for a little while. It leaves a bit to be desired in developer experience, but it's proven itself a valid option.
