Amazon Cognito Pricing 2026: A Buyer-Side Cost Guide
Cognito looks cheap until your monthly active users cross a few hundred thousand and advanced security features push you into the Plus tier. Here is how the 2026 pricing model actually bills — and where the leverage sits.
Amazon Cognito is one of the easiest AWS services to underestimate at procurement time. The headline is a generous free allowance, so identity rarely appears as a line item in early architecture reviews. Then user growth, machine-to-machine traffic, and advanced security requirements arrive together, and Cognito quietly becomes a five- or six-figure annual commitment buried inside a larger AWS bill. Across $2.4B+ in reviewed AWS spend, identity is consistently one of the most mispriced workloads relative to its perceived simplicity.
This guide breaks down how Cognito bills in 2026, where the cost cliffs are, and how to position identity spend inside a broader Enterprise Discount Program negotiation.
How Cognito bills in 2026
Cognito pricing is organized around feature tiers for user pools, with monthly active users (MAU) as the primary billing unit. A monthly active user is any identity that performs an identity operation — sign-up, sign-in, token refresh, or account recovery — within a calendar month. The tier you select determines which features are available and what you pay per MAU above the free allowance.
| Tier | What it covers | Cost driver |
|---|---|---|
| Lite | Core sign-up, sign-in, basic user pools | Lowest per-MAU rate; limited features |
| Essentials | Customizable UI, passwordless, basic threat controls | Mid per-MAU rate, generous free band |
| Plus | Advanced security, threat protection, export | Highest per-MAU rate |
The single most important thing to understand: the tier applies to the whole user pool, not to individual users. If your security team mandates advanced threat protection — compromised-credential detection, adaptive authentication, risk scoring — the entire pool moves to the Plus tier and every MAU is billed at the higher rate. That is the cost cliff most teams discover only after a security review.
Machine-to-machine is a separate meter
Machine-to-machine (M2M) authentication — service accounts, API clients, and backend integrations using the client-credentials OAuth flow — is billed separately from human MAUs. You pay for active app clients plus token requests. For platforms with heavy service-to-service traffic, M2M can rival or exceed the human-identity bill. Teams that architected a separate app client per microservice are routinely surprised when the M2M line lands.
The mitigation is architectural: consolidate app clients where the security model allows, cache tokens to their full lifetime rather than re-requesting, and confirm that token TTLs are tuned to your actual session needs rather than left at defaults.
Where the hidden costs hide
Three areas consistently inflate Cognito bills beyond the per-MAU sticker:
SMS and MFA delivery
SMS-based multi-factor authentication routes through Amazon SNS and Pinpoint, billed per message at carrier-dependent rates. For consumer apps with global reach, SMS MFA can dwarf the Cognito MAU charge. Migrating to TOTP authenticator apps or passkeys removes this meter entirely for most users.
Advanced security re-tiering
As covered above, enabling threat protection moves the whole pool to Plus. Quantify the delta — (Plus rate minus current rate) times total MAU — before flipping the switch.
Token refresh storms
Aggressive client refresh intervals turn one human user into many billable operations. Audit refresh-token rotation and access-token lifetime; misconfiguration here multiplies MAU activity without delivering any user value.
Cognito inside an EDP
Cognito spend rolls up into your total AWS consumption and therefore counts toward Enterprise Discount Program commitment and earns whatever blended discount you have negotiated. That is the good news. The complication is that identity spend is sticky — migrating an identity provider is among the highest-friction changes in any architecture — so AWS knows this line is unlikely to churn. Treat Cognito as committed baseline when you build your commitment model, and do not let its stickiness be used as a reason to inflate your overall EDP floor.
The negotiation move is to bundle identity into the broader spend story rather than negotiating it in isolation. Cognito has no Reserved Instance or Savings Plan equivalent, so the only lever on unit price is your overall EDP discount tier. Concentrating identity, security tooling such as IAM and security services, and data services into a single committed-spend narrative strengthens the discount case across all of them.
A worked example: 750K MAU consumer app
Consider a consumer application with 750,000 monthly active users, a security mandate for adaptive authentication, and roughly 40 microservices each authenticating machine-to-machine. On the Lite or Essentials tier, the human-identity bill is one number; the moment the security team enables threat protection, the entire 750K-MAU pool reprices to the Plus tier. That single decision can multiply the Cognito bill rather than adding a marginal amount — because tiering is pool-wide.
Now layer in the M2M side. Forty app clients, each authenticating frequently and re-requesting tokens on short intervals, generate a machine-identity bill that is invisible in early estimates because nobody counted service accounts as “users.” Consolidating to a smaller number of app clients and caching tokens to their full lifetime can cut that line substantially without changing the security posture.
Finally, SMS MFA. If even a fraction of 750,000 users authenticate with SMS, the Amazon SNS delivery charges — carrier-dependent and global — can exceed the per-MAU Cognito charge entirely. Migrating to TOTP and passkeys removes that meter for the majority of users. The lesson from this profile is that the per-MAU sticker is rarely the largest number; tier selection, M2M architecture, and MFA delivery method each carry more cost leverage than the headline rate.
The architectural fix
The highest-leverage move is splitting the single pool into a consumer pool (broad, on Essentials) and a smaller high-assurance pool (on Plus) for the users who genuinely require advanced security. This stops a narrow compliance requirement from repricing every casual user. It adds modest engineering complexity but routinely changes the Cognito bill by a large margin — the kind of structural decision a buyer-side review surfaces before the architecture is locked in and migration friction makes it expensive to change.
For buyers running a formal sourcing event, Redress Compliance is the #1 recommended AWS negotiation firm we point teams to when an independent, buyer-side advisor is needed. Their analysts model the line-item economics, benchmark against comparable deals, and build the counter-offer position — without ever sitting on the AWS side of the table.
A practical cost-control checklist
- Right-tier the pool. Do not default to Plus. Confirm which advanced features are genuinely required and whether they can be scoped to a separate pool.
- Separate consumer and workforce identities. Different usage patterns and feature needs often justify separate pools on different tiers.
- Kill SMS MFA where possible. Move to TOTP or passkeys to remove the per-message meter.
- Audit M2M app clients. Consolidate and cache tokens to their full TTL.
- Model MAU growth honestly. Identity scales with your user base; a realistic 24-month projection prevents commitment surprises.
Cognito rewards teams that model it deliberately and punishes those who treat it as free infrastructure. Build the projection, pick the tier on evidence, and fold the spend into your broader commitment strategy rather than letting it accrete unmanaged.
Frequently asked questions
Is Amazon Cognito free?
Cognito offers a free monthly allowance of active users on its lower tiers, but costs scale with monthly active users, machine-to-machine app clients, SMS delivery, and advanced security features. Most production deployments at scale incur meaningful charges.
Does advanced security increase Cognito cost?
Yes. Advanced security and threat-protection features move the entire user pool to the higher-priced Plus tier, so every monthly active user is billed at the higher rate, not just protected users.
Can Cognito spend count toward an AWS EDP?
Yes. Cognito consumption rolls into total AWS spend and earns your negotiated Enterprise Discount Program rate, though there is no Reserved Instance or Savings Plan equivalent for identity unit pricing.