Overview - Cognito User Profiles Export Reference Architecture

Overview

Many Amazon Web Services (AWS) customers use Amazon Cognito user pools to provide a scalable and secure user directory for their applications. Amazon Cognito customers often need to export their users to facilitate more complex user queries, or to provide resiliency in case of regional failure or accidental deletion of their users. To assist with this, AWS offers the Cognito User Profiles Export Reference Architecture solution. This solution is designed to provide a framework for exporting user profile and group information from your user pool, allowing you to focus on extending this solution’s functionality rather than managing the underlying infrastructure operation.

This solution uses an ExportWorkflow AWS Step Functions workflow to periodically export user profiles, groups, and group membership details from your user pool to an Amazon DynamoDB global table with automatic, asynchronous replication to a backup Region for added resiliency.

This solution’s ImportWorkflow Step Functions workflow can be used to populate a new, empty user pool with data from the global table, allowing you to easily recover user profiles, groups, and group memberships. The ImportWorkflow Step Functions workflow can be run in either the primary or backup Region.

Customers interested in using this solution for both backup and recovery should be comfortable with a Recovery Time Objective (RTO) measured in hours rather than minutes since the solution requires the ImportWorkflow Step Functions workflow to run in a recovery scenario. Refer to Cognito transactions per second (TPS) for performance benchmarks for different sized user pools.

The Recovery point objective (RPO) is determined by the time the ExportWorkflow Step Functions workflow runs in the primary Region. You will lose any updates made after the last ExportWorkflow Step Functions workflow run.

Limitations

Customers interested in using this solution should be aware that it does not export sensitive information, such as user passwords; that user pools with multi-factor authentication (MFA) enabled are not supported; and that advanced security features are not supported. For a full list of limitations, refer to Limitations in the Solution components section.

Cost

You are responsible for the cost of the AWS services used while running this solution. At the date of publication, the cost for running this solution in the North Virginia Region with the Tokyo Region as backup is approximately $90.00 per month for a user pool of 500,000 users (where each user is a member of one group) and a daily export frequency. Prices are subject to change. For full details, see the pricing webpage for each AWS service you will be using in this solution.

AWS Service Total cost
Amazon DynamoDB $86.00
Amazon Step Functions $1.00
Amazon Simple Queue Service (Amazon SQS) $1.00
Amazon Simple Notification Service (Amazon SNS) $1.00
AWS Lambda $1.00

IMPORTANT: When the ImportWorkflow Step Functions workflow is run, it will create new users with the same profiles and group memberships in a new, empty user pool that you create. These new users will be treated by Cognito as additional monthly active users (MAU) when they are initially created by the solution. Therefore, your Cognito cost could rise significantly during any month in which you run the ImportWorkflow Step Functions workflow. Refer to Cognito’s Pricing Page for more details on how Cognito MAUs are priced.