# User pool feature plans
Understanding the cost is a crucial step in preparing to implement Amazon Cognito user pools authentication. Amazon Cognito has feature plans for user pools. Each plan has a set of features and a monthly cost per active user. Each feature plan unlocks access to more features than the one before it.
User pools have a variety of features that you can turn on and off. For example, you can turn on multi-factor authentication (MFA) and turn off sign-in with third-party identity providers (IdPs). Some changes require you to switch your feature plan. The following characteristics of your user pool determine the cost that AWS bills you monthly for usage.
+ The features that you choose
+ The requests per second that your application makes to the user pools API
+ The number of users with authentication, update, or query activity in a month, also called [monthly active users](quotas.md#monthly-active-users) or MAUs
+ The number of monthly active users from third-party SAML 2.0 or OpenID Connect (OIDC) IdPs
+ The number of app clients and user pools that do client-credentials grants for machine-to-machine authorization
For the most current information about user pool pricing, see [Amazon Cognito pricing](https://aws.amazon.com/cognito/pricing).
Feature-plan selections apply to one user pool. Different user pools in the same AWS account can have different plan selections. You can't apply separate feature plans to app clients within a user pool. The default plan selection for new user pools is Essentials.
You can switch between feature plans at any time to fit the requirements of your applications. Some changes between plans require that you turn off active features. For more information, see [Turning off features to change feature plans](feature-plans-deactivate.md).User pool feature plans
**Lite**
Lite is a low-cost feature plan for user pools with lower numbers of monthly active users. This plan is sufficient for user directories with basic authentication features. It includes sign-in features and the classic hosted UI, a slimmer, less-customizable predecessor to managed login. Many newer features, like access-token customization and passkey authentication, aren't included in the Lite plan.
**Essentials**
Essentials has all of the latest user pool authentication features. This plan adds new options to your applications, whether your login pages are managed login or custom-built. Essentials has advanced authentication features like [choice-based sign-in](authentication-flows-selection-sdk.md#authentication-flows-selection-choice) and [email MFA](user-pool-settings-mfa-sms-email-message.md).
**Plus**
Plus includes everything in the Essentials plan and adds advanced security features that protect your users. Monitor user sign-in, sign-up, and password-management requests for indicators of compromise. For example, user pools can detect whether users are signing in from an unexpected location or using a password that's been part of a public breach.
User pools with the Plus plan generate logs of user activity details and risk evaluations. You can apply your own usage and security analysis to these logs when you export them to external services.
**Note**
Previously, some user pool features were included in an *advanced security features* pricing structure. The features that were included in this structure are now under either the Essentials or Plus plan.
**Topics**
+ [Select a feature plan](#cognito-sign-in-feature-plans-choose)
+ [Features by plan](#cognito-sign-in-feature-plans-list)
+ [Essentials plan features](feature-plans-features-essentials.md)
+ [Plus plan features](feature-plans-features-plus.md)
+ [Turning off features to change feature plans](feature-plans-deactivate.md)
## Select a feature plan
------
#### [ AWS Management Console ]
To choose a feature plan
1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials.
1. Choose **User Pools**.
1. Choose an existing user pool from the list, or create a user pool.
1. Select the **Settings** menu and review the **Feature plans** tab.
1. Review the features available to you in the Lite, Esssentials, and Plus plans.
1. To change your plan, select **Switch to Essentials**, or **Switch to Plus**. To switch to the **Lite** plan, choose **Other plans**, then **Compare with Lite**.
1. On the next screen, review your choice and select **Confirm**.
------
#### [ CLI/API/SDK ]
The [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) and [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) operations set your feature plan in the `UserPoolTier` parameter. When you don't specify a value for `UserPoolTier`, your user pool defaults to `Essentials`. If you set `AdvancedSecurityMode` to `AUDIT` or `ENFORCED`, your user pool tier must be `PLUS` and default to `PLUS` when not specified.
See [Examples in CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#API_CreateUserPool_Examples) for syntax. See [See Also in CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#API_CreateUserPool_SeeAlso) for links to this function in of AWS SDKs for a variety of programming languages.
```
"UserPoolTier": "PLUS"
```
In the AWS CLI, this option is `--user-pool-tier` argument.
```
--user-pool-tier PLUS
```
See [create-user-pool](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool.html) and [update-user-pool](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool.html) in the AWS CLI command reference for more information.
------
## Features by plan
**Features and plans in user pools**
| Feature | Description | Feature plan |
| --- | --- | --- |
| Protect against unsafe passwords | Check plaintext passwords for indicators of compromise at runtime | Plus |
| Protect against malicious sign-in attempts | Check session properties for indicators of compromise at runtime | Plus |
| Log and analyze user activity | Generate logs of user authentication session properties and risk scores | Plus |
| Export user activity logs | Push user session and risk logs to an external AWS service | Plus |
| Customize managed login pages with a visual editor | Use a visual editor in the Amazon Cognito console to apply branding and style to your managed login pages | Essentials \$1 Plus |
| MFA with email one-time codes | Request or require local users to provide an additional email message sign-in factor after username authentication | Essentials \$1 Plus |
| Customize access token scopes and claims at runtime | Use a Lambda trigger to extend the authorization capabilities of user pool access tokens | Essentials \$1 Plus |
| Passwordless sign-in with one-time codes | Permit users to receive a one-time password by email or SMS as their first authentication factor | Essentials \$1 Plus |
| Passkey sign-in with hardware or software FIDO2 authenticators | Permit users to use a cryptographic key stored on a FIDO2 authenticator as their first authentication factor | Essentials \$1 Plus |
| Sign-up and sign-in | Perform authentication operations and let new users register for an account in your application. | Lite \$1 Essentials \$1 Plus |
| User groups | Create logical groupings of users and assign default IAM roles for identity pool operations. | Lite \$1 Essentials \$1 Plus |
| Sign-in with social, SAML, and OIDC providers | Provide users with the options to sign in directly or with their preferred provider. | Lite \$1 Essentials \$1 Plus |
| OAuth 2.0/OIDC authorization server | Act as a OIDC issuer. | Lite \$1 Essentials \$1 Plus |
| Login pages | A hosted collection of webpages for authentication. Managed login is available in the Essentials and Plus tiers. The classic hosted UI is available in all feature tiers. | Lite \$1 Essentials \$1 Plus |
| Password, custom, refresh-token, and SRP authentication | Prompt users for a username and password in your application. | Lite \$1 Essentials \$1 Plus |
| Machine-to-machine (M2M) with client credentials | Issue access tokens for authorization of non-human entities. | Lite \$1 Essentials \$1 Plus |
| API authorization with resource servers | Issue access tokens with custom scopes that authorize access to external systems. | Lite \$1 Essentials \$1 Plus |
| User import | Set up import jobs from CSV files and perform just-in-time migration of users as they sign in. | Lite \$1 Essentials \$1 Plus |
| MFA with authenticator apps and SMS one-time codes | Request or require local users to provide an additional SMS message or authenticator app sign-in factor after username authentication | Lite \$1 Essentials \$1 Plus |
| Customize ID token scopes and claims at runtime | Use a Lambda trigger to extend the authentication capabilities of user pool identity (ID) tokens | Lite \$1 Essentials \$1 Plus |
| Custom runtime actions with Lambda triggers | Customize the sign-in process at runtime with Lambda functions that perform external actions and influence authentication | Lite \$1 Essentials \$1 Plus |
| Customize managed login pages with CSS | Download a CSS template and change some styles in your managed login pages | Lite \$1 Essentials \$1 Plus |
# Essentials plan features
The Essentials feature plan has most of the best and latest features of Amazon Cognito user pools. When you switch from the Lite to the Essentials plan, you get new features for your managed login pages, multi-factor authentication with email-message one-time passwords, an enhanced password policy, and custom access tokens. To stay up-to-date with new user pool features, choose the Essentials plan for your user pools.
The sections that follows present a brief overview of the features that you can add to your application with the Essentials plan. For detailed information, see the following pages.
**Additional resources**
+ Access token customization: [Pre token generation Lambda trigger](user-pool-lambda-pre-token-generation.md)
+ Email MFA: [SMS and email message MFA](user-pool-settings-mfa-sms-email-message.md)
+ Password history: [Passwords, account recovery, and password policies](managing-users-passwords.md)
+ Enhanced UI: [Apply branding to managed login pages](managed-login-branding.md)
**Topics**
+ [Access token customization](#features-access-token-customization)
+ [Email MFA](#features-email-mfa)
+ [Password reuse prevention](#features-password-reuse)
+ [Managed login hosted sign-in and authorization server](#features-enhanced-ui)
+ [Choice-based authentication](#features-user-auth)
## Access token customization
User pool [access tokens](https://datatracker.ietf.org/doc/html/rfc6749#section-1.4) grant permissions to applications: to [access an API](cognito-user-pools-define-resource-servers.md), to retrieve user attributes from the [userInfo endpoint](userinfo-endpoint.md), or to establish [group membership](cognito-user-pools-user-groups.md) for an external system. In advanced scenarios, you might want to add to the default access-token data from the user pool directory with additional temporary parameters that your application determines at runtime. For example, you might want to verify a user's API permissions with [Amazon Verified Permissions](amazon-cognito-authorization-with-avp.md) and adjust the scopes in the access token accordingly.
The Essentials plan adds to the existing functions of a [pre token generation trigger](user-pool-lambda-pre-token-generation.md). With lower-tier plans, you can customize ID tokens with additional claims, roles, and group membership. Essentials adds new versions of the trigger input event that customize access token claims, roles, group membership, and scopes. Access token customization is available to machine-to-machine (M2M) [client credentials grants](federation-endpoints-oauth-grants.md) with event version three.
**To customize access tokens**
1. Select the Essentials or Plus feature plan.
1. Create a Lambda function for your trigger. To use our example function, [configure it for Node.js](https://docs.aws.amazon.com/lambda/latest/dg/lambda-nodejs.html).
1. Populate your Lambda function with our [example code](user-pool-lambda-pre-token-generation.md#aws-lambda-triggers-pre-token-generation-example-version-2-overview) or compose your own. You function must process a request object from Amazon Cognito and return the changes that you want to include.
1. Assign your new function as a [version two or three](user-pool-lambda-pre-token-generation.md#user-pool-lambda-pre-token-generation-event-versions) pre token generation trigger. Version two events customize access tokens for user identities. Version three customizes access tokens for user and machine identities.
**Learn more**
+ [Customizing the access token](user-pool-lambda-pre-token-generation.md#user-pool-lambda-pre-token-generation-accesstoken)
+ [How to customize access tokens in Amazon Cognito user pools](https://aws.amazon.com/blogs/security/how-to-customize-access-tokens-in-amazon-cognito-user-pools/)
## Email MFA
Amazon Cognito user pools can be configured to use email as the second factor in multi-factor authentication (MFA). With email MFA, Amazon Cognito can send users an email with a verification code that they must enter to complete the authentication process. This adds an important extra layer of security to the user login flow. To enable email-based MFA, the user pool must be configured to use the [Amazon SES email-sending configuration](user-pool-email.md#user-pool-email-developer) instead of the default email configuration.
When your user selects MFA by email message, Amazon Cognito will send a one-time verification code to the user's registered email address whenever they attempt to sign in. The user must then provide this code back to your user pool to complete the authentication flow and gain access. This ensures that even if a user's username and password are compromised, they must provide an additional factor—the emailed code—before they can access your application resources.
For more information, see [SMS and email message MFA](user-pool-settings-mfa-sms-email-message.md). The following is an overview of how to set up your user pool and users for email MFA.
**To set up email MFA in the Amazon Cognito console**
1. Select the Essentials or Plus feature plan.
1. In the **Sign-in** menu of your user pool, edit **Multi-factor authentication**.
1. Choose the level of **MFA enforcement** that you want to set up. With **Require MFA**, users in the API automatically receive a challenge to set up, confirm, and sign in with MFA. In user pools that require MFA, managed login prompts them to choose and set up an MFA factor. With **Optional MFA**, your application must offer users the option to set up MFA and set the user's preference for email MFA.
1. Under **MFA methods**, select **Email message** as one of the options.
**Learn more**
+ [SMS and email message MFA](user-pool-settings-mfa-sms-email-message.md)
## Password reuse prevention
By default, a Amazon Cognito user pools password policy sets password length and character-type requirements, and temporary-password expiration. The Essentials plan adds the capability to enforce password history. When a user attempts to reset their password, your user pool can prevent them from setting it to a previous password. For more information about configuring the password policy, see [Adding user pool password requirements](managing-users-passwords.md#user-pool-settings-policies). The following is an overview of how to set up your user pool with a password-history policy.
**To set up password history in the Amazon Cognito console**
1. Select the Essentials or Plus feature plan.
1. In the **Authentication methods** menu of your user pool, locate **Password policy** and select **Edit**.
1. Configure other available options and set a value for **Prevent use of previous passwords**.
**Learn more**
+ [Passwords, account recovery, and password policies](managing-users-passwords.md)
## Managed login hosted sign-in and authorization server
Amazon Cognito user pools have optional webpages that support the following functions: an OpenID Connect (OIDC) IdP, a service provider or relying party to third-party IdPs, and public user-interactive pages for sign-up and sign-in. These pages are collectively called *managed login*. When you choose a domain for your user pool, Amazon Cognito automatically activates these pages. Where the Lite plan has the hosted UI, the Essentials plan opens up this advanced version of sign-up and sign-in pages.
Managed login pages have a clean, up-to-date interface with more features and options for customizing your branding and styles. The Essentials plan is the lowest plan level that unlocks access to managed login.
**To set up managed login in the Amazon Cognito console**
1. From the **Settings** menu, select the Essentials or Plus feature plan.
1. From the **Domain** menu, [Assign a domain](cognito-user-pools-assign-domain.md) to your user pool and select a **Branding version** of **Managed login**.
1. From the **Managed login** menu, under **Styles** tab, choose **Create a style** and assign the style to an app client, or create a new app client.
**Learn more**
+ [User pool managed login](cognito-user-pools-managed-login.md)
## Choice-based authentication
The Essentials tier introduces a new *authentication flow* for authentication operations in the enhanced UI and SDK-based API operations.This flow is *choice-based authentication*. Choice-based authentication is a method where your users' authentication starts not with an application-side declaration of a sign-in method, but a query of possible sign-in methods followed by a choice. You can configure your user pool to support choice-based authentication and unlock username-password, passwordless, and passkey authentication. In the API, this is the `USER_AUTH` flow.
**To set up choice-based authentication in the Amazon Cognito console**
1. Select the Essentials or Plus feature plan.
1. In the **Sign-in** menu of your user pool, edit **Options for choice-based sign-in**. Select and configure the authentication methods you want to enable in choice-based authentication.
1. In the **Authentication methods** menu of your user pool, edit the configuration of sign-in operations.
**Learn more**
+ [Authentication with Amazon Cognito user pools](authentication.md)
# Plus plan features
The Plus feature plan has advanced security features for Amazon Cognito user pools. These features log and analyze user context at runtime for potential security issues in devices, locations, request data, and passwords. They then mitigate potential risks with automatic responses that block or add security safeguards to user accounts. You can also export your security logs to Amazon S3, Amazon Data Firehose, or Amazon CloudWatch Logs for further analysis.
When you switch from the Essentials to the Plus plan, you get all the features in Essentials and the additional features that follow. These include the threat protection set of security options also known as *advanced security features*. To configure your user pools to automatically adapt to threats in your authentication front end, choose the Plus plan for your user pools.
The sections that follows present a brief overview of the features that you can add to your application with the Plus plan. For detailed information, see the following pages.
**Additional resources**
+ Adaptive authentication: [Working with adaptive authentication](cognito-user-pool-settings-adaptive-authentication.md)
+ Compromised credentials: [Working with compromised-credentials detection](cognito-user-pool-settings-compromised-credentials.md)
+ Log export: [Exporting logs from Amazon Cognito user pools](exporting-quotas-and-usage.md)
**Topics**
+ [Threat protection: adaptive authentication](#features-adaptive-authentication)
+ [Threat protection: compromised-credentials detection](#features-compromised-credentials)
+ [Threat protection: user activity logging](#features-user-logs)
## Threat protection: adaptive authentication
The Plus plan includes an *adaptive authentication* feature. When you activate this feature, your user pool makes a risk assessment of every user authentication session. From the resulting risk ratings, you can block authentication or push MFA for users who sign in with a risk level above a threshhold that you determine. With adaptive authentication, your user pool and application automatically block or set up MFA for users whose accounts you suspect are being attacked. You can also provide feedback on the risk ratings from your user pool to adjust future ratings.
**To set up adaptive authentication in the Amazon Cognito console**
1. Select the Plus feature plan.
1. From the **Threat protection** menu of your user pool, edit **Standard and custom authentication** under **Threat protection**.
1. Set the **enforcement mode** for standard or custom authentication to **Full-function**.
1. Under **Adaptive authentication**, configure automatic risk responses for different levels of risk.
**Learn more**
+ [Working with adaptive authentication](cognito-user-pool-settings-adaptive-authentication.md)
+ [Collecting data for threat protection in applications](user-pool-settings-viewing-threat-protection-app.md)
## Threat protection: compromised-credentials detection
The Plus plan includes a *compromised-credentials detection* feature. This feature guards against the use of insecure passwords and the threat of unintended application access that this practice creates. When you permit your users to sign in with username and password, they might reuse a password that they've used elsewhere. That password might have been leaked, or just be commonly guessed. With compromised-credentials detection, your user pool reads the passwords your users submit and compares them to password databases. If the operation results in a decision that the password is likely compromised, you can configure your user pool to block sign-in and then initiate a password reset for the user in your application.
Compromised-credentials detection can react to insecure passwords when new users sign up, when existing users sign in, and when users attempt to reset their passwords. With this feature, your user pool can prevent or warn about sign-in with insecure passwords wherever users enter them.
**To set up compromised-credentials detection in the Amazon Cognito console**
1. Select the Plus feature plan.
1. From the **Threat protection** menu of your user pool, edit **Standard and custom authentication** under **Threat protection**.
1. Set the **enforcement mode** for standard or custom authentication to **Full-function**.
1. Under **Compromised credentials**, configure the types of authentication operations that you want to check, and the automated response that you want from your user pool.
**Learn more**
+ [Working with compromised-credentials detection](cognito-user-pool-settings-compromised-credentials.md)
## Threat protection: user activity logging
The Plus plan adds a logging feature that gives security analysis and details of user authentication attempts. You can see risk assessments, user IP addresses, user agents, and other information about the device that connected to your application. You can act on this information with the built-in threat protection features, or you can analyze your logs in your own systems and take appropriate action. You can export the logs from threat protection to Amazon S3, CloudWatch Logs, or Amazon DynamoDB.
**To set up user activity logging in the Amazon Cognito console**
1. Select the Plus feature plan.
1. From the **Threat protection** menu of your user pool, edit **Standard and custom authentication** under **Threat protection**.
1. Set the **enforcement mode** for standard or custom authentication to **Audit-only**. This is the minimum setting for logs. You can also activate it in **Full-function** mode and configure other threat protection features.
1. To export your logs to another AWS service for third-party analysis, go to the **Log streaming** menu of your user pool and set up an export destination.
**Learn more**
+ [Exporting user authentication events](cognito-user-pool-settings-adaptive-authentication.md#user-pool-settings-adaptive-authentication-event-user-history-exporting)
+ [Exporting logs from Amazon Cognito user pools](exporting-quotas-and-usage.md)
# Turning off features to change feature plans
Feature plans add configuration options to your user pool. You can configure and use these features only when the related feature plan is active. For example, you can configure access token customization in the Plus and Essentials plans, but not in the Lite plan. To deactivate these features, you must deactivate each active component. The **Switch to** option in the **Settings** menu in the Amazon Cognito console notifies you of the features you must deactivate before you can change your feature plan. With this chapter, you can learn the changes that deactivation makes to your user pool configuration, and how to turn off these features individually.
**Access token customization**
To switch to a plan that doesn't include access token customization, you must remove the [pre token generation Lambda trigger](user-pool-lambda-pre-token-generation.md#user-pool-lambda-pre-token-generation-accesstoken) from your user pool. To add a new pre token generation trigger without access token customization, assign a new function to the trigger and configure it for `V1_0` events. These version one trigger events can process changes to ID tokens only.
To manually deactivate access token customization, remove your pre token generation trigger and add a new version one trigger.
**Threat protection**
To switch to a plan without threat protection, deactivate all features from the **Threat protection** menu of your user pool.
**Log export**
To switch to a plan without log export, deactivate it from the **Log streaming** menu of your user pool. Your user pool no longer generates local or exported user-activity logs. You can also send a [SetLogDeliveryConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html) API request that removes any configuration with an `EventSource` value of `UserActivity`.
**Email MFA**
To switch to a plan without email MFA, go to the **Sign-in** menu of your user pool. Edit **Multi-factor authentication** and deselect **Email message** as one of the available **MFA methods**.