About
Amazon Cognito is an AWS identity and access management service that helps organizations implement secure authentication and authorization for customer applications, AI agents, microservices, and APIs. It provides managed user pools and identity pools to support sign-in, access control, and federation across human and machine identities.
The service is designed to help teams launch branded sign-up and sign-in experiences quickly while maintaining enterprise-grade security and scalability. It supports social login, SAML and OIDC federation, passwordless authentication, passkeys, token customization, and machine-to-machine authorization for modern application architectures.
- Managed customer identity and access management for web and mobile apps
- Support for human users, AI agents, and machine identities
- Social, SAML, and OIDC federation options
- Passwordless sign-in with passkeys, SMS, and email one-time codes
- Advanced security features such as adaptive authentication and compromised credential detection
- Machine-to-machine authorization and higher API quota add-ons
Free Tier Value
This free tier is very usable for small-to-medium authentication workloads because it includes 10,000 monthly active users for direct or social sign-ins, plus 50 monthly active users for SAML/OIDC federation and free identity-pool authentication. At the listed $0.015 per MAU rate, the direct/social allowance alone is worth about $150 per month, so a practical estimate is $150/month; the feature set is broad, but some higher-security and machine-to-machine capabilities are excluded, so parity is high but not complete.
What's included in the free tier
- Up to 10,000 monthly active users per month for direct sign-ins or social identity providers on Lite or Essentials tiers.
- Up to 50 monthly active users per month for SAML 2.0 or OIDC federated sign-ins, regardless of tier.
- Free identity pool authentication and unique identifier generation at no charge.
- Indefinite free tier availability for existing and new AWS customers, with no 12-month expiration.
- No free tier for Plus tier direct sign-ins.
- No free tier for machine-to-machine token requests.
- Not available in AWS GovCloud (US) Regions.
See Amazon Cognito pricing for current limits.
Paid plans
Lite
- direct/social MAUs free tier
- 10,000 MAUs/month
- SAML/OIDC MAUs free tier
- 50 MAUs/month
- direct/social MAU price above free tier
- $0.015 per MAU
- SAML/OIDC MAU price above free tier
- $0.015 per MAU
- Basic user registration, authentication, and management
- Social identity provider and SAML/OIDC integration
- Password-based authentication
- Managed login customization
- MFA with authenticator apps and SMS one-time codes
- Custom runtime actions with Lambda triggers
- 99.9% service level agreement
Essentials
- direct/social MAUs free tier
- 10,000 MAUs/month
- SAML/OIDC MAUs free tier
- 50 MAUs/month
- direct/social MAU price above free tier
- $0.015 per MAU
- SAML/OIDC MAU price above free tier
- $0.015 per MAU
- Comprehensive authentication and access control
- Managed Login and passwordless login options
- Passkeys, email, or SMS login
- Custom access token controls
- Prevent password reuse
- Social identity provider and SAML/OIDC integration
- MFA with authenticator apps and SMS one-time codes
- 99.9% service level agreement
Plus
- direct/social MAUs free tier
- 0 MAUs/month
- SAML/OIDC MAUs free tier
- 50 MAUs/month
- direct/social MAU price above free tier
- $0.020 per MAU
- SAML/OIDC MAU price above free tier
- $0.015 per MAU
- Threat protection for sign-ins
- Risk-based adaptive authentication
- Compromised credentials detection
- Export authentication event logs
- All Essentials features
- Social identity provider and SAML/OIDC integration
- MFA with authenticator apps and SMS one-time codes
- 99.9% service level agreement
Pricing extracted from Amazon Cognito's pricing page. Always verify current pricing before committing.
