# Build a framework for exporting user profile and group information from your Amazon Cognito user pools
This implementation guide discusses architectural considerations and configuration steps for deploying the Cognito User Profiles Export Reference Architecture Guidance in the Amazon Web Services (AWS) Cloud.
The guide is intended for IT infrastructure architects, administrators, and DevOps professionals who have practical experience architecting in the AWS Cloud.
Many Amazon Web Services (AWS) customers use [Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html) to provide a scalable and secure user directory for their applications. [Amazon Cognito](https://aws.amazon.com/cognito/) customers often need to export their users to facilitate more complex user queries, or to provide resiliency in case of regional failure or accidental deletion of their users. To assist with this, AWS offers the Cognito User Profiles Export Reference Architecture Guidance. This Guidance is designed to provide a framework for exporting user profile and group information from your user pool, allowing you to focus on extending this guidance’s functionality rather than managing the underlying infrastructure operation.
This guidance uses an `ExportWorkflow` [AWS Step Functions](https://aws.amazon.com/step-functions/) workflow to periodically export user profiles, groups, and group membership details from your user pool to an [Amazon DynamoDB global table](https://aws.amazon.com/dynamodb/global-tables/) with automatic, asynchronous replication to a backup Region for added resiliency.
This guidance’s `ImportWorkflow` Step Functions workflow can be used to populate a new, empty user pool with data from the global table, allowing you to easily recover user profiles, groups, and group memberships. The `ImportWorkflow` Step Functions workflow can be run in either the primary or backup Region.
Customers interested in using this guidance for both backup and recovery should be comfortable with a Recovery Time Objective (RTO) measured in hours rather than minutes since the guidance requires the `ImportWorkflow` Step Functions workflow to run in a recovery scenario. Refer to [Cognito transactions per second (TPS)](design-considerations.md#cognito-transactions-per-second-tps) for performance benchmarks for different sized user pools.
The Recovery point objective (RPO) is determined by the time the `ExportWorkflow` Step Functions workflow runs in the primary Region. You will lose any updates made after the last `ExportWorkflow` Step Functions workflow run.
## Limitations
Customers interested in using this guidance should be aware that it does not export sensitive information, such as user passwords; that user pools with multi-factor authentication (MFA) enabled are not supported; and that advanced security features are not supported. For a full list of limitations, refer to [Limitations](guidance-components.md#limitations) in the guidance components section.
# Cost
You are responsible for the cost of the AWS services used while running this guidance. As of this revision, the cost for running this guidance in the North Virginia Region with the Tokyo Region as backup is approximately **\$190.00 per month** for a user pool of 500,000 users (where each user is a member of one group) and a daily export frequency. Prices are subject to change. For full details, see the pricing webpage for each AWS service you will be using in this guidance.
| AWS Service | Total cost |
| --- | --- |
| Amazon DynamoDB | \$186.00 |
| Amazon Step Functions | \$11.00 |
| Amazon Simple Queue Service (Amazon SQS) | \$11.00 |
| Amazon Simple Notification Service (Amazon SNS) | \$11.00 |
| AWS Lambda | \$11.00 |
**IMPORTANT:** When the `ImportWorkflow` Step Functions workflow is run, it will create new users with the same profiles and group memberships in a new, empty user pool that you create. These new users will be treated by Cognito as additional monthly active users (MAU) when they are initially created by the guidance. Therefore, your Cognito cost could rise significantly during any month in which you run the `ImportWorkflow` Step Functions workflow. Refer to [Cognito’s Pricing Page](https://aws.amazon.com/cognito/pricing/) for more details on how Cognito MAUs are priced.
# Architecture overview
Deploying this guidance with the default parameters builds the following environment in the AWS Cloud.
**Cognito User Profiles Export Reference Architecture architecture on AWS**
![\[user profiles export with amazon cognito\]](http://docs.aws.amazon.com/solutions/latest/cognito-user-profiles-export-reference-architecture/images/user-profiles-export-with-amazon-cognito.png)
1. In the primary AWS Region, an [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) scheduled [event](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/WhatIsCloudWatchEvents.html) invokes the [AWS Step Functions](https://aws.amazon.com/step-functions/) export workflow, which examines the primary [Amazon Cognito](https://aws.amazon.com/cognito/) user pool. It stores user profiles, groups, and group membership information in the global table.
*Note: This Guidance does not create the primary user pool.*
1. When the export workflow is complete, Step Functions sends a completion or error message to the [Amazon Simple Notification Service (Amazon SNS)](https://aws.amazon.com/sns/) topic for logging or troubleshooting.
1. [Amazon DynamoDB](https://aws.amazon.com/dynamodb/) asynchronously replicates all data to the backup Region for added resiliency.
1. In your backup Region, use the same Step Functions import workflow as seen in Step 2 to import data from global table to populate a new, empty Amazon Cognito user pool. This enables you to easily recover user profiles, groups, and group memberships.
*Note: This Guidance does not create the new user pool.*
1. A mapping comma-separated values (CSV) file uploads to the guidance’s [Amazon Simple Storage Service (Amazon S3)](https://aws.amazon.com/s3/) bucket. This CSV file maps the line number reported by Amazon Cognito to the subattribute of the corresponding users for inclusion in the troubleshooting error message.
1. When the import workflow is complete, Step Functions sends a completion or error message to an Amazon SNS topic for logging or troubleshooting.