User pools provide a secure identity store for your users, handling sign-up, sign-in, and access control for your applications. They support standard identity protocols like OAuth 2.0, SAML 2.0, and OpenID Connect, and can be integrated with HTTP API Gateways to protect your endpoints.

When to use them

User pools are a good choice whenever your application needs to authenticate and authorize users.

Advantages

• Pay-per-MAU: You pay for monthly active users.
• Free tier: The first 50,000 monthly active users are free (for users who sign in directly, not through SAML or OIDC federation).
• Serverless: Scales seamlessly to handle a large number of users.
• Secure by default: User data is stored securely by AWS.
• Compliant: User pools are HIPAA eligible and compliant with PCI DSS, SOC, ISO/IEC 27001, and other standards.

Disadvantages

• Cost at scale: Can become expensive for large user bases or heavy use of SAML or OIDC federation.
• Complexity: Authentication flows and standards like OAuth can be complex to understand and implement correctly.

Basic usage

This example shows a Lambda function connected to an HTTP API Gateway with an authorizer that only allows access to users authenticated by myUserPool.

resources:
  createPost:
    type: function
    properties:
      packaging:
        type: stacktape-lambda-buildpack
        properties:
          entryfilePath: src/index.ts
      events:
        - type: http-api-gateway
          properties:
            httpApiGatewayName: myGateway
            path: /post/create
            method: POST
            authorizer:
              type: cognito
              properties:
                userPoolName: myUserPool

  myUserPool:
    type: user-auth-pool
    properties:
      userVerificationType: email-code
      passwordPolicy:
        minimumLength: 8

Password policy

You can enforce a password policy for your users, specifying minimum length and requiring lowercase letters, numbers, symbols, and uppercase letters.

Multi-factor authentication

You can enable multi-factor authentication (MFA) for your user pool to add an extra layer of security.

Hooks

You can use Lambda functions as hooks to trigger custom logic at different points in the user authentication lifecycle, such as before sign-up or after a successful sign-in.

External identity providers

You can allow users to sign in with external identity providers like Google, Facebook, or any SAML or OIDC-compliant provider.

Firewall

You can protect your user pool with a web application firewall.

To learn more, see the Web Application Firewall documentation.

resources:
  myFirewall:
    type: web-app-firewall
    properties:
      scope: regional
  myUserPool:
    type: user-auth-pool
    properties:
      userVerificationType: email-code
      passwordPolicy:
        minimumLength: 8
      useFirewall: myFirewall

Pricing

Amazon Cognito has a free tier for user pools, which includes 10,000 monthly active users (MAUs) for users who sign in directly or through a social identity provider. For users who sign in through SAML or OIDC federation, the free tier includes 50 MAUs.

Beyond the free tier, pricing is based on the number of MAUs. For the "Lite" tier, the costs are as follows:

• 10,001 - 100,000 MAUs: $0.0055 per MAU
• 100,001 - 1,000,000 MAUs: $0.0046 per MAU
• Over 1,000,000 MAUs: $0.00325 per MAU

For users federated through SAML or OIDC, the price is $0.015 per MAU above the free tier.

Additional charges apply for sending SMS messages for MFA and for using advanced security features. For detailed and up-to-date pricing information, see the Amazon Cognito pricing page.

Referenceable parameters

API reference