Build a framework for exporting user profile and group information from your Amazon Cognito user pools
Publication date: August 2020 (last update: August 2024)
Important
Cognito User Profiles Export Reference Architecture is being retired in March 2025. The
Solution will no longer be supported from March 1, 2025. You can find other AWS Solutions in
the AWS Solutions Library
This implementation guide discusses architectural considerations and configuration steps for
deploying the Cognito User Profiles Export Reference Architecture solution in the Amazon Web
Services (AWS) Cloud. It includes a link to an AWS CloudFormation
The guide is intended for IT infrastructure architects, administrators, and DevOps professionals who have practical experience architecting in the AWS Cloud.
Many Amazon Web Services (AWS) customers use
Amazon Cognito user pools to provide a scalable and secure user
directory for their applications.
Amazon Cognito
This solution uses an ExportWorkflow
AWS Step Functions
This solution’s ImportWorkflow
Step Functions workflow can be used to populate a new,
empty user pool with data from the global table, allowing you to easily recover user profiles,
groups, and group memberships. The ImportWorkflow
Step Functions workflow can be run in
either the primary or backup Region.
Customers interested in using this solution for both backup and recovery should be
comfortable with a Recovery Time Objective (RTO) measured in hours rather than minutes since the
solution requires the ImportWorkflow
Step Functions workflow to run in a recovery scenario.
Refer to Cognito transactions per second
(TPS) for performance benchmarks for different sized user pools.
The Recovery point objective (RPO) is determined by the time the
ExportWorkflow
Step Functions workflow runs in the primary Region. You will lose any
updates made after the last ExportWorkflow
Step Functions workflow run.
Limitations
Customers interested in using this solution should be aware that it does not export sensitive information, such as user passwords; that user pools with multi-factor authentication (MFA) enabled are not supported; and that advanced security features are not supported. For a full list of limitations, refer to Limitations in the Solution components section.